The interpretation of the new regulation (GDPR) and how it will be implemented is still in progress and work is being done by the supervisory authorities in the various European countries to help employers implement it.
The GDPR is not simply a one-off project that has to be managed within an obligatory deadline; it is a long-term project because compliance is a continuous process. With the GDPR, the use of personal data in HR must be proportional and based on necessity. HR must focus on 3 main issues for employers: employer obligations, citizens’ rights and managing risks for personal data.
1 – Employer obligations
Employers’ obligations are divided into two categories.
1: The organization that the company must set up
- Appoint a Data Protection Officer (DPO)
- Set up internal processes
- Document use of data to demonstrate compliance in a Record of processing activities for data controllers and data processors
- Check use of data: legitimacy, purpose
- Check that the concept of ‘privacy’ is included in the processing of data: ‘privacy by design’ (any new processing operation shall implement appropriate technical and organizational measures at the design stage and ‘privacy by default’(by default, only personal data that is necessary for processing shall be processed).
2: Communication to employees
- Keep employees (including temporary workers, freelancers, etc.) informed of the new points in the GPDR.
- Provide information on how to request access to personal data, because all employees can now ask to access their data and receive a response within one month.
Sopra HR has provided its customers with an analysis of HR data models with a guide explaining the method used and hypotheses made based on 2 questions:
- What is the category of the data in the HR information systems?
What is the purpose of the data (what is it used for)?
All data that is not personal data, such as data for the organization, jobs and positions is not taken into account. Data related to processes, such as recruitment processes, recruitment requests and training plans, where no personal data is handled, is also not taken into account. Nor is data concerning management rules, payroll settings or technical data.
What remains is the personal data of employees and applicants in the recruitment module, which is divided into 4 categories:
- The 1st category covers all data justified by a contract between the employee and employer and which therefore complies with all the resulting legal obligations. This data is considered authorized and is by far the majority (over 97 %*) of data used in the HR information and processing operations.
- The 2nd category involves identifying sensitive personal data that is not required in the HR information system and which should be deleted. Data should be considered differently depending on what is required in some countries. For example, religion is required in Germany, but not required and even prohibited in other countries. Therefore, depending on the country, this unnecessary data shall be removed from the HRIS. This only concerns small amounts of personal data.
- The 3rd category includes sensitive personal data that requires the employee’s consent. In our software, this only concerns photos. The employees’ consent must therefore be obtained. This is the ‘Right to control the use of one’s image’, which already previously existed.
- The 4th category includes personal data requiring a decision to be made, because Sopra HR cannot make a decision by default since use of such data may depend on the company’s business segment or context. This data is identified as such so that customers may be aware of the situation. Approximately 2%* of data is in this category.
* These numbers are estimates made by Sopra HR based on standard and international solutions.
Another point concerns the use of free text areas in the HRIS. The HR professional or manager must now be careful that any text or comments they may write comply with the GDPR, keeping in mind that what they write can be read by employees or applicants and could be sent to the Supervisory Authority in the event of an audit. Sopra HR provides its customers with examples of recommendations on the use of such areas in the HRIS.
The purposes of the data
To help the Data Controller fill out the record of processing activities, we have divided the data into 4 purposes of processing. We have indicated the purpose that seems to be the most important, though some data may have several purposes. 4 types of purposes were defined with the CNIL, the supervisory authority in France, but these may be subject to change.
- Payroll and declarations, which also includes administrative management, contracts and assignment.
- Talent management, career management, employee development and evaluations
- Travel and expenses
- Time and attendance
2 – Citizens’ rights
The following 5 rights have an effect on the HRIS:
- Right to be informed
- Right of access
- Right to erasure
- Right to rectification
- Right to data portability
Depending on the customer’s situation, Sopra HR recommends revising or strengthening these rights, especially with respect confidentiality and security. Compliance with the GDPR requires that access to solutions be checked.
The HRIS should now be able to manage the right to be informed and consent. A template is required to record when the company has informed its employees with respect to the GDPR. This may be general information to understand the GDPR or more specific information explaining how the GDPR is implemented within the company. Employees also need information on the people to contact and the procedures used to exercise these rights, such as the right to access their data, the right to erasure, the right to correct and the right to portability.
The fact that the employees have been informed of such information shall be recorded. If necessary, this information shall be revised if changes arise in the company or for example when an employee is transferred to another location. Employees will need to be informed again, because the people to contact to exercise their access rights may have changed in the new location. A record shall be kept each time an employee is notified.
A list shall be made of all the data requiring employee consent and it shall be possible to record whether or not employees have given consent, because employees can refuse to give consent and even withdraw it and this must also be handled.
An extraction procedure must be provided to handle employees’ requests to access their data. The results may be available in different formats and also comply with the right to data portability, when employees request that their data be transferred to another data controller. In this case, this only concerns the data transferred.
3 – Managing risk for personal data
Another issue is the handling of risk inherent in the processing of personal data.
High risk must be handled and analyzed as a priority. Analyzing the purpose of personal data and how this data is categorized will help define the record of processing activities, identify the risks and set up actions to reduce such risks. All this information can be sent to the supervisory authority in the event of an audit.
To reduce risk, you can also set up systems that physically protect the data, such as data encryption or data anonymization.
Other ways involve the use of privileged accesses, such as those of database administrators. The objective is to separate the ‘container’ (the database) from the ‘content’ (what is stored in the database). These are all ways to help reduce risk by preventing unauthorized access and, in case of theft, preventing the data from being used easily.
Compliance is a long-term project. How this new regulation is to be implemented is still being studied and it is therefore essential that employers collect any information provided by the supervisory authorities in their country. This will allow them to more easily implement the regulation in their country.
Sopra HR, due to its position in the European market and its activities in Human Resources and payroll management, is involved in the work conducted by the supervisory authorities, and can help employers in the public and private sector to implement actions required for compliance.