What does GDPR mean for your HR department?
It’s been a year and a half since we were all flooded with warnings about GDPR. The precautionary instructions on how to avoid company busting fines and reputation ruining lawsuits seemed to have quietened but the doubts around GDPR complaint HR processes lingers. While most people within HR started off with the best of intentions and GDPR checklists, that attention to the regulations has started to drop in some organisations.
It’s easy to think that not a lot has changed other than having a more obvious way to unsubscribe from emails (much to the dismay of marketers). However, we have seen some hefty punishments handed out to some very well-known names such as the Marriott Hotel chain and British Airways, and this has been enough to make companies sit up and take stock of their own data handling.
How has GDPR changed hr/employee records handling?We always had data protection regulations, but the General Data Protection Regulation (GDPR) takes things a bit further, imposing stricter rules on how companies handle and store data (Personnel data inclusive). It’s been confirmed that even though these are European laws, we will still need to adhere to them post Brexit (when and if that eventually happens). The changes we are concerned with here are the ways GDPR has altered how organisations can store, and use personal information, and how this affects your company’s HR policy.
1. Retention of HR records
In the past organisations simply filed data away, sometimes forgotten forever and untraceable. Under these new HR GDPR regulations,
- Unless explicit permission to keep the data has been given, you must delete any unnecessary documents. For example – the data for unsuccessful job candidates after the recruitment process has been completed.
- The amount of time you can retain the data for ex-employees is also limited. Whether they were fired, left or retired, there needs to be a defined offboarding procedure to protect you that complies with regulations.
- Alongside the fields for ‘hand in work phone’ and ‘return pass key’ there should also be a ‘delete employee data’ field.
2. Information requests must be specific
If you request information on a potential employee, or even an existing one, you must have good reason to request it.
It should be completely transparent to them why you are requesting for this information and how it will be handled. Will it be stored, for how long and how it might be used?
Explicit permission to store and use data must be granted by employees and recorded, should auditors ask for proof.
You should reassess your current application procedure to ensure you are compliant – do you need to know their marital status, the number of children, or driver licence details? If it’s not directly related to the role – don’t ask.
3. Provide transparency and accountability
You are not only required to hold PII (personally identifiable information) securely, but you need to provide insight into how and where this employee data is stored and processed. If you’ve had to ask their permission to hold that data, you also need to retain that permission – and that permission can be retracted by the employee if they wish.
It should also be clear who has access to this data – so a secure and reportable system for this access needs to be in place.
To make this transparency possible, companies must critically review their current architecture of stored data. Not only will companies have to comply with these rules, but they need to prove that they are in compliance with the new GDPR HR regulations. Cloud HR document management solutions make it easier to apply HR GDPR policies and at the same time keep data accessible.
4. Use data only for the intended purpose
You may only use the data you store for the intended purpose, as the permission to retain it has been specifically for that reason. Your HR department may not store employee records to reuse in the future.
5. Reporting and tracking data and activity
Do you have a process to segment the data you are keeping on individual employees? You will usually keep records for changes to job titles etc, but what about more sensitive data such as performance reviews, salary and bank details? Are these stored centrally? Who can view them? Does your HR department have the right tools to keep this data safe and yet accessible when needed?
6. Data protection
As the name would suggest, the main goal of the new European Data Protection Act is to ensure the protection of personal data. Put simply, data must be stored safely and securely, and be organised in a way that only authorised personnel have access to it. The GDPR legislation requires that documents that contain personal details are password protected. If you’re using old software, or your systems aren’t communicating with each other this can be extremely hard to manage.
To ensure the right balance between security and efficient retrieval, your IT department should be involved to put procedures in place. If these are provided by a third party sub-contractor, or sub-processing such as the cloud, it is your responsibility to ensure that they have the required procedures in place to protect the data. This included their ability to store, retrieve and delete all data they manage.
All of this can seem fairly simple, but many companies will have to reassess their entire list of providers, check their guarantees and ensure that full compliance with the new GDPR rules for hr/employee records.
What next?
Twofold Ltd helps overcome these challenges by providing cloud or on-premise solutions for hr document management, and managing personnel in line with GDPR regulations. Our range of services range from DocuWare for employment records management to secure scanning and capture hardware and software. Contact us via the form here, or give the team a call on 0118 951 9800 to discuss if your HR team has any challenges around GDPR or employee data management.
Peter Kiddle
Document Management Specialist