GDPR is just around the corner and HR professionals are set to be among the most significantly affected, particularly in terms of recruitment data. So how can companies ensure their HR departments are ready for the change in legislation? Here, Nigel Crockford, Business Development Manager at IT consultancy eSpida, explains how HR departments can lead by example in GDPR compliance.
The new General Data Protection Regulation (GDPR) is set to significantly raise the standards for the processing of personal data in the European Union (EU). After May 25, 2018, every business will be impacted by GDPR and failure to comply with the regulation will result in costly penalties of 4% of global annual turnover or €20 million, whichever value is greater.
Many businesses have begun educating themselves on how the new data consent rules will affect them and are working promptly to implement GDPR compliant policies and processes. As such, when making these integral changes, businesses should put their HR departments at the forefront of the operation and utilise their expertise.
A company’s HR team handles sensitive and often confidential information about the business and its employees every day. This means that HR professionals are well equipped to lead by example and demonstrate to other departments how customer data should be handled following the introduction of GDPR.
Generally, most businesses are structured so that HR teams are responsible for reviewing and revising existing company policies. This also includes managing any potential risks posed to employees and ensuring compliance with any legal and regulatory obligations.
As natural enforcers of company policy, it would make sense that HR departments work to help their business develop a holistic approach to the implementation of GDPR compliant strategies. This includes creating a resilience plan to help each segment of a business understand and minimise the current data risks and any future implications regarding GDPR.
With this in mind, what is it that HR departments should bear in mind when ensuring GDPR compliance across a business and how will the regulation impact their current processes?
Change to requests
Subject access requests (SAR) are submitted by individuals who want to see a copy of all the information an organisation has stored about them, including information about whether the personal data is being processed and the source of the data. As it stands, individuals are entitled to request this information under section 7 of the Data Protection Act 1998 but, in some instances, it comes at a cost.
Currently, unless it is relating to an individual’s health record, organisations can charge up to a maximum of £10 before handling a SAR. Under GDPR, organisations will have to scrap fees for SARs and provide the information free of charge. In addition to this, businesses must respond to the request within one month of receipt, rather than the 40-day period that was previously allowed.
How much information?
Internal processes for HR departments will also be greatly affected by GDPR and in some cases on a global scale. Although the regulation has not been employed across the world, multi-national employers will need a detailed understanding of how their global data is circulated. This is particularly true if an organisation uses a centralised storage database to manage the entire company’s HR data.
In this instance, the business will need to ensure it is GDPR compliant across the board even if its main operation is not based in the EU.
As well as thinking about how HR departments are currently processing employee data, there should also be considerations for how long this data is stored and the justification for this. Under GDPR, the right to erasure could also affect the employee information retained by employers.
Traditionally, many HR departments log any formal warnings or other notable issues for employers to track and monitor. Under GDPR, employers will need to make sure that retaining this information on file is only done with employee consent, so that businesses can balance handling historic staff issues with new obligations.
Businesses should, therefore, consider whether existing employee data notices comply with GDPR requirements.
Often, employers gain consent to processing and retaining employee data by including a clause in their employment contract. GDPR mandates that employers will need to explicitly inform employees exactly what the company will do with any personal data, including any plans to process the information in the future.
Overcoming the hurdle
While the management of employee data is a key area for GDPR compliance, it is critical that companies also consider the data held on job applicants. This is often one of the areas where HR departments should make the most changes to ensure compliance.
HR departments can take a number of steps to ensure GDPR compliance from the get-go, by altering their processes for the application or recruitment stage. To do this, HR staff should ensure the information initially captured on an applicant is minimal, for example just their name and date of birth.
To proceed to phase two of the application, individuals should be directed to a template requesting more personal information from the applicant, which the company can retain on file. This stage in the process provides the ideal opportunity for companies to obtain consent and comply with GDPR.
This can be achieved by embedding a feature such as a tick box that confirms and authorises the company to use applicant data. Although many companies do have a terms and conditions agreement box featured in the recruitment application documents, this now must adhere to the specifics of how the data will be processed according to GDPR.
Once completed, the applicant’s data should then be captured and securely transferred onto an encrypted database. Companies can also go one step further and set-up parameters that automatically remove data from the system, to minimise any discrepancies.
This can include notifying unsuccessful candidates that their data will be stored on the company’s database, with the chance to opt out. Companies already regulating their systems to meet with GDPR often send automated e-mails advising that their details will be removed from the system due to the account being inactive. Successful candidates will have their information retained on file.
HR departments already have extensive knowledge on how data should be collated and processed within a business, which provides managers with a foundation when considering the development of their own GDPR strategies. Utilising this expertise will help employers take the appropriate steps in conforming their business to meet GDPR requirements.
With such a broad selection of processes within HR departments being subject to GDPR, businesses will undoubtedly encounter compliance challenges after May 25, 2018. While HR insight forms a strong foundation, businesses must consult with external experts to identify any data blind spots in GDPR strategies and ensure HR can lead by effective example.
PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.
Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/