In May 2018, HR and People Operations will face the greatest regulatory change in employee data privacy in the last 20 years: the EU General Data Protection Regulation (GDPR).
There are a number of essential steps that HR and People Operations professionals should complete before the laws come into effect, but first, let’s understand what the GDPR is.
What is the GDPR?
The GDPR is an EU citizen rights law and affects any organization that employs or recruits EU citizens.
It applies to any organization with EU citizens as employees or candidates, regardless of location - so an EU citizen working in San Francisco will bring GDPR to that company.
Collecting data about EU residents and deciding why and how that data is collected and processed will likely classify an entity to as data controller under the GDPR.
Each of these entities (controllers, processors and subjects) carry different rights and responsibilities in the GDPR framework, however here is what we believe you should focus on.
What should you know about GDPR?
The GDPR puts greater responsibility on the employer as the steward of employee data.
You may have already been asked by your IT or security team; but as an HR professional, we believe that the key goals that you should focus on are:
With the adoption of GDPR at your company, previously informal obligations should be formalized and made known to your broader team.
Having standardized processes in place can help make GDPR compliance simple, and ensure that you stay on top of your responsibilities.
A first key requirement is placed on documentation around how employee data is collected, stored and processed. This means knowing where the data came from, who has access to it, where it is stored, as well as any processes around access and deletion.
Someone in your company (typically the Data Protection Officer) will be responsible for producing a document that outlines this. We also recommend creating an information asset register – what personal information and where, why, how and with whom do you process it.
A big theme of the GDPR is transparency - requiring organisations to provide much more information to individuals.
The GDPR mandates that employers have a legal basis for collecting and processing employee and recruiting data.
It’s important that this is documented by your team to ensure alignment on standards.
The four potential legal bases most likely to be relevant to you as an HR professional to collect this data are:
Most of this really comes down to focusing on understanding and information rights, a lot of which can be covered in employment contracts as well as providing access to basic HRIS technology for your team.
Under the GDPR, EU residents have the right to access their personal data and are entitled to obtain their personal data in a commonly used format (i.e. PDF or CSV).
This means that if an employee leaves your company, they should be able to obtain the data they’ve provided to you and reuse this information with their next company.
For HR professionals, this means you should keep a single system of record and ensure your employee data is in a standardized format, so employees can easily collect and export everything without any additional administrative burden.
Your employees have the right to ask and obtain access to their data, as well as correct any personal data that is deemed inaccurate or incomplete.
This is so they can verify the “lawfulness of the processing” and ensure that you’re managing their data correctly.
For HR teams currently using spreadsheets and paper-based files to manage their workforce, GDPR provides an urgent catalyst to modernise employee record keeping.
As well as the obligation to provide comprehensive, clear and transparent privacy policies, if an employer has more than 250 employees, it must maintain additional internal records of its processing activities.
Sapling believes the new legal requirements will raise the bar for honoring employee data rights, and we expect that the GDPR will help companies support a greater and more secure employee experience.
In keeping with our commitment to our partners’ privacy and security, Sapling is committed to being compliant with the GDPR when the law comes into effect.
Given our partners typically have global operations, we plan to adopt EU GDPR’s talent data processing requirements as our global standard.
Please note: the above is based on Sapling’s understanding of the requirements of GDPR and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation.
Intersoft consulting has published a great resource at gdpr-info.eu where you can find the official PDF of the Regulation (EU) 2016/679 (General Data Protection Regulation) as a neatly arranged website.
We recommend reading the full text of the GDPR to better understand these rights and seeking independent legal advice regarding your obligations under the GDPR.