As we all know, starting with May 25th, 2018, General Data Protection Regulation (G.D.P.R.) will come into force and will impose stricter rules on how companies can store and use personal information of their employees.
In the following lines we will detail the obligations of the companies, namely of human resources departments to comply with G.D.P.R.
Ensure the protection of personal data
The personal data must be stored safely and securely. Internally, data security must be well-organized. This means that only a limited amount of people should have access to the confidential information. The companies should close collaboration with IT companies and is necessary to find the right balance between data retrieval and how to protect that data from external threats. Externally, if sub-contracting or sub-processing is used, companies must select a provider with adequate guarantees. They must have a contract covering all required aspects of the sub-contracting / sub-processing, ensuring support of the provider in case of incidents, and ensuring the capacity to recover the data and have it deleted at the end of the contract. Companies may have to review their current system of providers, guarantees, and the contracts they have, to comply with G.D.P.R.
Use data only for intended purpose
HR departments not only are limited in the amount of data they may ask from employees or applicants, they may use this information only for the purpose for which it is requested. Provided explicit consent has been given. This may hinder a company’s ability to maintain a talent pool. Storing personal contact information for use in the future without permission is not permitted by the new data act.
Keep the data in simple and useful manner
The obligation to keep personal information up to date also has consequences for HR. Data changes from staff (removal, job changes etc.) are usually kept. But what about performance assessments? Are there any performance interviews and if so, are they centrally stored, or are they reviewed in a different way? Whatever form is used, HR must ensure that the right tools are available to keep the data in a simple and useful manner.
Keep personal data for as long as necessary
Under the new regulations, companies may keep personal data only for as long as necessary. For example, in an application process, the data of candidates who are not employed should be deleted shortly after recruitment process, unless candidates have given explicit consent. Also, the data of employees who leave a company (by resignation, because they have found another job or have been fired) may only be retained for a limited amount of time, which will certainly affect the procedures of many companies.
Provide transparency and pro-active communication
As of May 25th, 2018, companies are also required to provide insight into how and where employee data is stored and processed. For information that requires employee permission, their consent must also be held by the company. This is not final, employees have the right to withdraw their permission. It should also be made clear who has access to what data. To make this transparency possible, companies must critically review their current architecture of stored data. Does the current way of archiving meet the stricter requirements, or should processes change? In particular, companies will have to document and prove how they comply with the new law.
Information must be targeted
Employers may only request data from potential employees if it is necessary. For all other forms of data collection, explicit permission must be requested. A critical look at the current application procedure is therefore essential. For example, is information needed to make a proper assessment? The same applies to the data of current employees. Any data companies hold on their employees must be for good reason. Previously, companies would collect generic data like civil status, number of children, driving license etc. But now, it will be more difficult to justify collecting data not directly related to the role or management of the employee.
Contact an Advisor
If you have any questions regarding this topic and how it might have an impact on your business, please contact the Mirus Consultant with whom you regularly work, or: