The idea for this post came from a discussion in the excellent Facebook Group EU GDPR (General Data Protection Regulation) & E-Privacy Regulation .
Disclaimer: This information is provided for your convenience and does not constitute legal advice.
GDPR is about the regulation of Personal Data. There is a lot of noise around marketing and consent prior to processing but a lot less around HR.
GDPR also applies to staff eg Human Resources (HR).
To keep this post short, remember that GDPR is -mainly- the enforcement of 6 data privacy principles:
Each member state has a Data Protection Authority (list ) that should be the point of reference in your country. GDPR is meant to be consistent, but as some DPA are better equiped than other for advice, I'll share a link to the Irish DPA HR guidance .
Personal data is almost anything relating to an individual (referred to as a "data subject").
Check Article 88 Processing in the context of employment.
A quick reminder that there are 6 lawful bases for processing (set out in Article 6 of the GDPR). At least one of these must apply whenever you process personal data:
Under HR, it should easy to find a lawful process under legal or contract obligation.
With HR, the workflows are relatively simple:
You will need to document the workflow and adjust your company practice to comply with the principles eg do you need to know the next of kin information prior to confirmation of the employment contract, do you need to know how many children the candidate has or their marital status? Probably not! Minimise...
Change company practice to avoid CVs being emailed to each other (or use encryption, see further down) and have a policy for disposal of notes related to CVs.
Use of social media by individuals is widespread and it is relatively common for user profiles to be publicly viewable depending on the settings chosen by the account holder. As a result, employers may believe that inspecting the social profiles of prospective candidates can be justified during their recruitment processes.
Employers should not assume that because an individual's social media profile is publicly available they are allowed to process those data for their own purposes. A legal ground is required for this processing, such as legitimate interest. In this context the employer should - prior to the inspection of a social media profile - take into account whether the social media profile of the applicant is related to business or private purposes, as this can be an important indication for the legal admissibility of the data inspection.
In addition, employers are only allowed to collect and process personal data relating to job applicants to the extent that the collection of those data is necessary and relevant to the performance of the job which is being applied for.
The individual must also be correctly informed of any such processing before they engage with the recruitment process.
There is no legal ground for an employer to require potential employees to "friend" the potential employer, or in other ways provide access to the contents of their profiles.
Note: this is copied from "Opinion 2/2017 on data processing at work" (Article 29 WP)
With HR, there are many legal requirements that justify the need to collect data about employees and contractors without prior consent.
Here are some examples, but you need to check with the employment law in your country. Each have a statutory retention period. I am not including any as it is likely to change from country to country and your GDPR consultant wouldn't be able to charge you any money ;).
It is worth noting that while you are legally obliged to keep some records, they are not all for daily use and should only be made available in a certain context.
Note: Principle 6 (integrity and confidentiality) of GDPR states that "personal data must be processed in a manner that ensures appropriate security of the data using appropriate technical or organisational measures".
While you are in charge of keeping the records, you need to ensure they are securely stored. It means you need to control who has access to the data. If the HR department is small and you don't have many servers, ensure the computer is well protected and backed-up at least daily. When you dispose of the computer, you need to ensure the hard-drive is properly erased (format is not enough).
When data is no longer required by law, deleting the data will remind you that information not held will not form part of a potential breach.
If you send some HR related data by email, remember email is not the most secure way to send sensitive information. I'd suggest encryption of files in transit and deletion of the emails (inbox, sent item and recycle bin). In such case, you can use 7zip and send the password to the recipient by text message. Although I tell you to encrypt to transfer a file, I do not suggest encrypting to hide data to avoid minimisation.
If you don't have a HR system I recommend that you maintain a spreadsheet and once a month you go through the records. Also keep a log of the changes you make. It's an extra headache, but it'll help documenting GDPR.
Note on Cloud HR Systems (if not using the one mentioned in the previous paragraph):
You need to find the country where the Cloud HR System is hosted.
Consent is required if there is no legal reason to do something, eg the list above.
For instance, a photograph of a person constitutes their personal data (biometric) and therefore any use of that photograph must be in accordance with the regulation.
If you have not yet a privacy policy for HR, you need at least one. Your website or client privacy policy is unlikely to be 100% relevant for staff and candidates, for the simple reason that the processes are different.
You can have one privacy policy, but it would make things easier to have 2 privacy policies:
Many policies are communicated through HR, since starters have to read and acknowledge the rules as they join. Your policies must comply with the regulation. Since GDPR is the enforcement of existing law, that should be simple. Review them and include "Privacy by design and by default" in all your processes.
It also mean that if you have a "quality" system in place such as ISO 9001, you will need to revise to embed "Privacy by design and by default".
Staff and contractors MUST be trained.
You need to assess staff and contractors' understanding and get them to sign each of them.
Non-exhaustive internal policy checklist:
You can find some Information Security Policy inspiration on the SANS Institute website.
If you are going to monitor staff, staff need to be told. It needs to be legal.
CCTV used for security is not CCTV used to monitor staff at work.
Security badges are for security. Attendance badges are for attendance.
Read more here (Irish DPA website), but beware that countries may have various guidance.
The use of vehicle tracking systems involves the collection of personal data as they record the location of the individual in charge of a vehicle at any particular time. An organisation using or considering using such a tracking system must be able to demonstrate that there is a good business reason for such surveillance. The individuals affected must be informed of the surveillance and its purposes. If personal (non work related) use of a vehicle is permitted, it should be possible to disable or mask the tracking system outside of working hours. (Irish DPA ).
Also check the WP 29 opinion for further guidance.
This is sensitive personal data.
If you outsource, ensure the payroll company provides you with a data processor agreement as you are exchanging personal data. Be prepared to another shock, as most companies I met and spoke to in the field of payroll did not have a clue about GDPR.
Sending payroll data by email is not the safest way. Once again, consider secure HR portals as an alternative. The staff is then in charge of downloading and the security of their computer is their issue.
There can be several types of contractors:
If you hire contractors though an agency, you will still need to train them to the privacy policies in your company.
With GDPR, your company will need to formalise training for data protection and data privacy. Do not underestimate as it could be a major cultural change.
Also, be clear with staff to explain the difference between commercial data and personal data. Data can be both, but the legitimate interest should not get staff to think they "cannot work anymore".
Under GDPR (and prior) staff have a right to obtain a copy, clearly explained, of (almost) any information relating to them that your company keep on computer or in a structured manual filing system. Your company needs to reply within one month.
However, there may be areas where it may not apply (check employment law in your country).
Here is a list of irish examples that I quote from the Irish DPA :
So, when you write your staff subject access request policy, check with your legal firm what applies and not.
Access requests may also come from former employees. You need to have a process internally to handle such request. It can be a specific email address. However, email is not always secure (since you cannot cotrol all parts of the transmission) and you need to ensure the mailbox is monitored as the person in charge of data protection in your company may be on holidays.
I normally avoid ads in my posts, but using Bizoneo as your compliance platform could ease handling the subject access requests. Bizoeno have a dedicated SAR web portal to deal with the internal workflows and assign activities to fulfil the request.
In the forum discussion this post is inspired from, there was a question relating to a workforce made of people who were from different countries, therefore speaking a different language.
I am not a solicitor, so treat my opinion accordingly:
GDPR is a great opportunity to review your HR department.
Going the GDPR compliance way will -in the medium to long run- give your business an extra competitive advantage: caring about the privacy of your staff. Another priceless good business practice...
- Claude Saulnier
Brand Ambassador - Bizoneo
Post Scriptum: