The EU (European Union) Regulation 2016/679, also known as the General Data Protection Regulation (GDPR), came into effect on May 25, 2018 after a two-year transition period. The regulation requires all companies operating in the European Union to adopt new policies, processes, and practices while managing the personal data of their customers, users, suppliers, and workers.
GDPR has a massive impact on HR departments, as they must adapt their processes to comply with the requirements of this regulation.
The aim of GDPR is to standardize and strengthen the rights of European residents in relation to their personal data. This means that any organization dealing with the personal data of EU residents must comply with the new standards for transparency, security, and accountability.
How does GDPR affect human resources?
GDPR requires companies to store only essential, accurate, and up-to-date employee data. Also, companies must clearly communicate how, where, and for how long an employee’s personal information will be stored. In the same way, employees can make use of their information at any time, as well as request a copy of the stored data, and order its deletion.
HR teams must understand the risk and responsibility involved in handling employee information to avoid sanctions, as noncompliance can result in fines of up to EUR€20 million, or 4 percent of annual turnover.
Key factors of GDPR in Human Resources
To comply with GDPR, HR teams must adjust and improve their employee management processes to guarantee employees’ rights and follow the data protection guidelines.
Here are the most critical factors human resources should take into consideration:
1.Personal data collection
Collecting and processing personal data is legitimate and limited to relevant information for the fulfillment of the employment contract (e.g., time and attendance systems), or information that is necessary for compliance with a legal obligation (e.g., payroll).
Consent is necessary when there is no other legal basis that validates the processing of data (e.g., a personal e-mail account.
2. Employees’ right to be informed
Companies are obliged to inform the employees about the purpose and legal basis of data processing and the period during which personal data will be kept. This information must be provided at the time the employee’s personal data is obtained.
3. New rights for employees
GDPR introduced new employee rights, such as the right to data portability, which allows employees to obtain and reuse their personal data for their own purposes across different services. It also regulates specific rights, such as the right to be forgotten which enables employees to request the deletion of their personal data, and the right of rectification, which grants employees the right to obtain the rectification of inaccurate personal data.
The right to oppose profiling activities prevents companies from making decisions based solely on automated processing, which will have an important impact on the implementation of artificial intelligence software in the field of human resources.
4. Data Protection Officer
Companies must appoint a Data Protection Officer (DPO) who acts independently with the necessary resources to carry out his or her duties. The DPO is responsible for monitoring the company’s data protection policy and its implementation to ensure compliance with GDPR.
5. Impact assessments and security breaches
Companies must carry out impact assessments to identify operations that pose a significant risk to workers’ rights or a security breach. In the case of a personal data breach, companies must notify the authorities no later than 72 hours after identification.
6. Telematics and codes of conduct
To adjust to the new data protection requirements, companies must examine their internal policies and codes of conduct regarding the use of telematics. Also, companies must adapt their content to the judgement of the European Court of Human Rights (ECHR), as well as to the impact of new technologies in the workplace.
7. Video surveillance
Companies must also review their procedure for the installation and use of video surveillance. The ECHR establishes that for the installation of fixed cameras, workers must be previously and clearly informed of their purpose, in accordance with the provisions of the data protection regulations.
8. International transfer of data outside the EU
Transferring employees’ personal data to countries outside the EU represents a huge risk, as there is no guarantee of protection. GDPR has imposed certain restrictions to limit a company’s ability to transfer such data, and to enforce employees’ rights.
9. Third-party vendor contracts
It is necessary to update contracts with suppliers or contractors that have access to the company’s personal data to ensure there is compliance with GDPR requirements. This includes contracts with payroll and recruitment providers.
Due to the volume of personal data a company manages during all their processes, the contribution of the HR department to GDPR compliance is crucial. It is therefore essential to consider all the elements of GDPR to implement an effective action plan.
What can HR teams do to comply with GDPR?
GDPR requires companies to be proactive and responsible for the implementation of technical and organizational measures that ensure complaint data processing.
Companies are required to analyze the type of data they process, the purpose of it, and how they do it. Here are some tips to help HR teams comply with GDPR:
1. Hire a Data Protection Officer (DPO)
As dictated by Article 37 of the GDPR, hiring a DPO is crucial. A DPO is responsible for supervising companies’ data protection strategies and ensures compliance with GDPR requirements.
2. Take inventory of personal data processing.
Taking inventory of important data makes tracking and processing it easier and helps to verify compliance. Here are some key considerations while tracking your company’s information:
- Identify personal data and sensitive data, as well as existing processing operations and verify compliance.
- Find out who (employees, contractors, or suppliers) has access to the data and why.
- Monitor employees, contractors, and suppliers working with the company’s data and review contracts.
- Verify that any data processing completed by contractors and suppliers, complies with GDPR.
- Analyze archiving practices and retention time of HR personal data.
- Ensure that HR solutions and your Human Resources Information System (HRIS), if applicable, are compliant with GDPR.
3. Take action
Once you have made an inventory and identified the corrections needed, it is important to create and implement an action plan in which you define the steps to follow.
Make sure you:
- Audit the data
- Carry out impact assessments
- Review your protection and security measures
- Review your processes and procedures.
4.Implement a communication plan
It is important to implement an internal communication plan so that all employees know how to access their information and what to do in case there is any change in this process. Part of the new regulation requires companies to clearly communicate how, where, and for how long an employee’s personal information will be stored.
5. Ensure stored data is correct
Companies must ensure to only keep corrected and updated data. They also must identify which data they need to keep, and which must be deleted. The less data you have, the easier it will be to comply with GDPR.
6. Review privacy policies
Companies must be transparent with the data they handle. Reviewing privacy agreements generates transparency and builds trust. Update data security policies and procedures using clear and simple language, and make sure these policies are easily accessible.
7. Enforce employees’ rights
As we mentioned, GDPR establishes new rights for employees. It is crucial to ensure these rights are enforced to avoid sanctions.
8. Adopt GDPR as part of the company culture
It is important that companies make the regulations known throughout the organization. By integrating them into the company culture, you ensure that all employees are aware of and understand them.
9. Improve security
Make sure the data is secure and avoid leaks. In the event of a data breach, the affected parties must be informed within 72 hours. To avoid leaks you should hire reliable data storage services, in addition to establishing updated security policies.
10. Obtain employee consent
It is essential for you to inform employees about the measures and procedures taking place, and to obtain their consent to the processing and transfer of their data. Consent must be a free, informed, and clear expression of agreement.
Beyond the obligation it represents, GDPR can contribute to improving your company’s performance, and the confidence and wellbeing of employees. However, this is only if your data and security, tools, methods, and processes are streamlined.
These new challenges are giving HR departments the opportunity to be drivers of their company’s internationalization, strengthening the quality of their cooperation with their suppliers and contractors. Having a clear policy on personal data management also improves companies’ reputation and makes them attractive as employers.