RGPD and HR data: good practices

Since the implementation of the RGPD (General Data Protection Regulation) in the European Union on May 25, 2018, the human resources management departments of private companies and public organizations are responsible for ensuring that their structures are compliant with this regulation. In human resources departments, collecting personal data is necessary for several HR processes: pay slips, career management, etc. It is therefore their responsibility to bring the company’s operations into compliance with the RGPD, in particular by creating a register of processing and reducing the nature and quantity of personal data used as much as possible. They must also ensure that employees have all the information they need about the use of their personal data.

The main principles of the General Data Protection Regulation

Applicable in the European Union, the
RGPD
aims to regulate the processing of personal data, in particular in order to adapt to technological and societal changes, including the growing development of digital technology. The implementation of the GDPR is as of May 25, 2018. Its guiding principles are:

  • purpose: any data collected and recorded must be for a legitimate, legal and specific purpose;
  • relevance and proportionality: the information in a given file must be absolutely necessary for its purpose;
  • accuracy: obsolete information must be replaced as soon as possible;
  • limited retention period: each personal data must be kept for a defined period of time, which varies according to the type of information;
  • confidentiality and security: those responsible for the files are required to preserve them and to put in place the necessary procedures to ensure that access to the data is restricted to authorized persons;
  • liability: the misuse or illegal sale of personal information is sanctioned;
  • right of the persons: the persons whose data are kept must be clearly informed and they have a right of access to this information as well as a right of modification, even of suppression.

What are the impacts of the RGPD on HR?

As a As the main collectors of personal data, human resources management departments are the first to be affected by the GDPR. To comply with the GDPR, companies need to reorganize and rethink the way they manage personal data.

The recruitment of a DPO (Data Protection Officer) profile may be necessary to support all departments in the implementation of the RGPD.

It is required if your organization is public or if your company has as a core activity and on a large scale the processing of sensitive data or the regular and systematic tracking of individuals. In the absence of a DPO, it is advisable to designate who will lead the RGPD project. Like the DPO, his mission is to implement the actions necessary for regulatory compliance with the RGPD.

When analyzing your processing of personal information, the goal is to minimize the demand for data: you should limit the collection to what is necessary and keep the data for the minimum amount of time. The CNIL provides guidelines to help you choose how long to keep personal information.

How is HR at the heart of the compliance effort?

Inventory of data collected and processing carried out

The compliance of companies with the RGPD primarily involves human resources departments, in particular, as they centralize a lot of personal data. They must therefore map the personal information collected and establish a register of processing. The latter is used to identify the processing of personal data and provides an overall view.

Changes to internal procedures

In order to comply with the GDPR, existing personal data processing operations may need to be modified. New procedures can also be created, in particular to define the actions to be taken in the event of a personal data breach, requests for modification/rectification/deletion of information… The HR department is also going to be the leader in implementing the RGPD policy within your company. He will be in charge of training and informing employees, modifying the internal regulations and the IT charter…

Possible impact analyses

The Data Protection Impact Assessment (DPIA) is used to demonstrate that high risk processing operations are compliant with the GDPR. May concern one or more similar processing operations, the DPIA is required if the envisaged processing operation belongs to the list defined by the CNIL regarding DPIA obligations or if it meets 2 of the 9 criteria defined by the Working Party on Article 29 of the GDPR (G29). If the processing was implemented before May 25, 2018, it is exempt from PIA for 3 years provided that it has been recorded in an IT and liberties register or declared to the CNIL. Certain exemptions may also be granted depending on the size of the company.

Relations with subcontractors

HR sometimes works with external consultants, for example for recruitment. Under these conditions, there will potentially be exchanges of personal data. It is then advisable to formalize new contractual documents or amendments to ensure compliance with the RGPD.

How to protect your employees’ data?

Limit the information collected and remain transparent

The The human resources department needs personal information about employees for various HR processes: editing pay slips, administrative management of employees, etc. However, it is necessary to collect data by restricting itself to the strictly necessary information and to avoid the sensitive data (health, religion, political opinions, diets…). The HR department is responsible for maintaining this data in a secure computer system that ensures confidentiality and traceability of changes.

You should inform employees as soon as they provide you with new information that will be retained, for example for a training request.

If you set up a control of your employees’ activity, it must respond to a legitimate interest of the company and not consist of a permanent surveillance. Before its introduction, consult any employee representative bodies, and then inform all employees by providing them with details of the new measures planned.

Involve your employees in data protection

Your employees must be made aware of the issue of personal data protection. They must be aware of the importance of this subject, and be fully committed at both the individual and collective levels.

This can result in:

  • reminder of the basic rules of computer security: prohibition to keep personal documents on one’s professional workstation, locking access when leaving one’s workstation, regular change of passwords, etc,
  • awareness of good practices regarding personal data,
  • regular backups of files, non-disclosure of sensitive data to unauthorized persons..,
  • clarification of the rights of individuals according to their department.

DOWNLOAD THE WHITE PAPER

“WHICH TOOLS TO USE TO MANAGE YOUR HR STRATEGY

Share This