GDPR compliance: practical steps to take control of your HR data
The new GDPR legislation, which becomes law on May 25th, impacts virtually every aspect of how you manage HR data – from the basis on which you collect it to when it needs to be deleted.
The practical implications of some aspects of the legislation will need further clarification; such as the ‘right to be forgotten’ in an employment context and what data portability really means. The Article 29 Working Party has published some guidance specifically related to employee data and it is to be hoped that more will follow.
However, one thing is crystal clear: HR is in the frontline of GDPR compliance. HR data that relates to an identifiable individual, whether on paper, in spreadsheets or a software system, is covered by the legislation. It is up to you to make sure that it is collected, managed, updated and secured in a way that ensures your compliance.
Key questions you need to answer
- Is our HR data secure? A key requirement of GDPR is that ‘personal data’, defined as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’, is processed in a manner that ensures its security. You have an obligation to implement technical and organisational measures to show you have considered and integrated data protection into your processing activities.
- Is it accurate? Under GDPR you are required to ensure that personal data is accurate and complete and to put it right when it is not.
- Can we respond to a subject access request? Current data protection legislation already allows employees and applicants to request a copy of the data you hold about them. GDPR requires that you respond to these requests more quickly and more comprehensively.
- How do we handle consent? While companies should not rely on consent to process most employee data, there may be occasions when it is needed. For example, to pass employee information to a third party such as a benefits provider, for marketing purposes or to track employee movement using CCTV or GPS.
- Can we delete data? Once you no longer need personal data for the purpose for which it was collected, data protection legislation says it should be deleted unless you have other grounds for retaining it.
A new approach for a new era
For companies relying on paper files, digital forms or spreadsheets, these requirements pose a considerable challenge. In fact, it is safe to say that information processed this way is virtually impossible to control or secure.
Employee information is needed by others in the organisation, not just HR. If data or documents are difficult to get hold of, the temptation is for people to take copies and store them elsewhere; with departmental heads, their secretaries or recruiting managers. Paper files rarely get revisited and updated or deleted when no longer relevant.
Excel spreadsheets take on a life of their own, with everyone managing their own version of the truth. Subject access requests can take days or weeks to put together; and, even giving employees limited visibility into the data you hold about them is fraught with difficulties.
It’s a reality the legislation recognises, at least in part. Recital 63 of the GDPR says: “Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data.”
Centralising all your HR data – including documents – in a single secure HR system with self-service access has other benefits that will take you a long way towards compliance. Information is easier to secure, track, manage and delete. Consent can be included as part of the data collection process, employees can check their own information and managers can be given restricted online access to information about their teams.
Of course, data security is not a given with all HR systems – and even some of the more modern enterprise systems are not yet GDPR compliant. Due diligence is essential.
However, for the most part, HR systems developed for the cloud have privacy by design at the heart of their solutions – such as data encryption, password protection and role-based security and will have in place the measures to help you keep your HR data safe.
With effective, cloud-based dedicated HR systems such as these now affordable for the smallest of organisations – and priced in the hundreds rather than the thousands of pounds - there really is no excuse for non-compliance.
GDPR compliance can be an opportunity; not just a necessary evil. It could be used to help transform businesses and their people processes and is an opportunity that should be grasped firmly with both hands.
Please note: this article is based on our understanding of the requirements of GDPR and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation. You should refer to the legislation and, if in doubt, work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.