Now that the race to become GDPR compliant is over, HR departments across Europe may want to have a deep sigh of relief. But the pressure has not completely lifted yet. The challenge of staying compliant is acute, and several everyday HR operations have changed to accommodate that aim.
HR’s role is in handling sensitive data is essential, whether related to the company or their employees. But this only means that human resources is the frontline in the battle to keep organisations GDPR compliant.
With such critical responsibilities in their hands, how HR exercises consistency in the everyday tasks that have changed is important. Here are 5 aspects you’re set to have to deal with perhaps on a daily basis.
- Data Retention
- Data Used For “Intended Purpose”
- Data Breach Notification
- Data Encryption
While securing consent from staff is nothing new, ensuring employees completely understand what will be done with their personal data is now essential. The new regulations stipulate consent must be “freely given, specific, informed and unambiguous”, but consent previously secured through a few clauses in an employment contract. This is no longer enough. What is more, consent can also be withdrawn by an employee at any time.
Consent clauses need to be redrafted and reworded to make sure employees are properly informed. Detail must be crystal clear and concise, and must specifically refer to the data being stored.
HR departments have to create and maintain a system through which employees can request consent withdrawal and be granted it. And from an HR point of view, the system needs to be easily editable.
In the past, employee data was stored but then pretty much forgotten about. Effectively, it was held onto indefinitely. The GDPR stipulates that organizations can only retain data for as long as it is needed, with a “strict minimum” period recommended by the new regulations.
Staying on top of data retention matters has become important, and where a company employs temporary (or even seasonal) staff, it can become a little complicated.
The DPO should establish a clear procedure, but include a timetable for data retention reviews in it, allowing HR to identify records no longer needed and to securely dispose of them. Importantly, this will also help keep employee data accurate and relevant.
The GDPR will only allow HR departments to use employee personal data for the purpose it was stored. This rule further underlines how important it is to clearly state the intended purpose, as much for HR as the employees.
Employees must now be fully informed about the specific purpose their data will be used for, and organizations will then have to stick strictly to that purpose. The HR department may need to contact former freelance or seasonal employees to secure consent to use their data in the future.
One of the most important aspects of the GDPR is the requirement to report any data breaches. A Data Breach Notification must be delivered to the relevant regulator within a period of 72 hours of the actual event. HR must notify the affected employees “without undue delay“ if the breach has a high-risk threat to the rights and freedoms of employees.
A record of all breaches must be kept so it can be inspected by the regulatory authority in any audit.
HR departments will have to follow a data breach response plan with clear procedures. Also, a programme to properly instruct employees how to report data breaches, to whom and when.
In the past high security was reserved for sensitive company documents, but under the GDPR, all data gathered by HR now needs to be protected – including personal employee data. However, this stands for everyday communicated data too, like emails, not just stored employee data.
The best way to accomplish this is to have stored and transmitted data encrypted, keeping it secure and safe against the risk of cyber attacks. IT can look after this area, but it up to HR departments to ensure that the encryption is applied consistently.
An additional security measure is a list of authorized personnel to access specific data types, lessening the chance of data breaches.