Since the implementation of the GDPR (General Data Protection Regulation) in the European Union on May 25, 2018, the human resources management departments of private companies and public bodies have been responsible for ensuring that their structures comply with this regulation. In human resources departments, collecting personal data is necessary for several HR processes: pay slips, career management, etc. It is therefore their responsibility to bring the company’s operations into line with the GDPR, in particular by creating a processing register and reducing the nature and quantity of personal data used as much as possible.
They also need to ensure that all information relating to the use of their personal data is made available to employees.
The main principles of the General Data Protection Regulation
Applicable throughout the European Union, the GDPR aims to provide a framework for the processing of personal data, notably in order to adapt to technological and societal changes, including the growing development of digital technology. The implementation of the GDPR is as of May 25, 2018. Its guiding principles are:
- purpose: any data collected and recorded must be for a legitimate, legal and specific purpose;
- relevance and proportionality: the information in a given file must be absolutely necessary for its purpose;
- accuracy: obsolete information must be replaced as soon as possible;
- limited retention period: each personal data must be kept for a defined period of time, which varies according to the type of information;
- confidentiality and security: those responsible for the files are required to preserve them and to put in place the necessary procedures to ensure that access to the data is restricted to authorized persons;
- liability: the misuse or illegal sale of personal information is sanctioned;
- individual rights: the people whose data is stored must be clearly informed, and they have a right of access to this information, as well as a right to modify or even delete it.
What are the impacts of the RGPD on HR?
As the main collectors of personal data, HR departments are the first to be affected by the GDPR. To comply with the GDPR, companies need to reorganize and rethink the way they manage personal data.
The recruitment of a DPO (Data Protection Officer) profile may be necessary to support all departments in the implementation of the RGPD.
It is required if your organization is public or if your company has as a core activity and on a large scale the processing of sensitive data or the regular and systematic tracking of individuals. In the absence of a DPO, it is advisable to designate who will lead the RGPD project. Like the DPO, his mission is to implement the actions necessary for regulatory compliance with the RGPD.
When analyzing your processing of personal information, the goal is to minimize the demand for data: you should limit the collection to what is necessary and keep the data for the minimum amount of time. The CNIL provides guidelines to help you choose how long to keep personal information.
How is HR at the heart of the compliance effort?
Inventory of data collected and processing carried out
The compliance of companies with the RGPD primarily involves human resources departments, in particular, as they centralize a lot of personal data. They must therefore map the personal information collected and establish a register of processing. The latter is used to identify the processing of personal data and provides an overall view.
Changes to internal procedures
In order to comply with the GDPR, existing personal data processing operations potentially need to be modified. New procedures can also be created, in particular to define the actions to be taken in the event of a personal data breach, requests for modification/rectification/deletion of information… The HR department is also going to be the leader in implementing the RGPD policy within your company. He will be in charge of training and informing employees, modifying the internal regulations and the IT charter…
Possible impact analyses
The Data Protection Impact Assessment (DPIA) is used to demonstrate that high risk processing operations are compliant with the GDPR. May concern one or more similar processing operations, the DPIA is required if the envisaged processing operation belongs to the list defined by the CNIL regarding DPIA obligations or if it meets 2 of the 9 criteria defined by the Working Party on Article 29 of the GDPR (G29). If the processing was implemented before May 25, 2018, it is exempt from PIA for 3 years provided that it has been recorded in an IT and liberties register or declared to the CNIL. Certain exemptions may also be granted depending on the size of the company.
Relations with subcontractors
HR sometimes works with external consultants, for example for recruitment. Under these conditions, there will potentially be exchanges of personal data. It is then advisable to formalize new contractual documents or amendments to ensure compliance with the RGPD.
How is HR at the heart of the compliance effort?
Limit the information collected and remain transparent
The human resources department needs personal information on employees for various HR processes, such as issuing pay slips and managing employee administration. However, it is necessary to collect data by restricting itself to the strictly necessary information and to avoid the sensitive data (health, religion, political opinions, diets…). The HR department is responsible for maintaining this data in a secure computer system that ensures confidentiality and traceability of changes.
You should inform employees as soon as they provide you with new information that will be retained, for example for a training request.
If you set up a control of your employees’ activity, it must respond to a legitimate interest of the company and not consist of a permanent surveillance. Before its introduction, consult any employee representative bodies, and then inform all employees by providing them with details of the new measures planned.
Involve your employees in data protection
Your employees need to be made aware of the issue of personal data protection. They must be aware of the importance of this subject, and be fully committed at both the individual and collective levels.
This can result in:
- reminder of the basic rules of computer security: prohibition to keep personal documents on one’s professional workstation, locking access when leaving one’s workstation, regular change of passwords, etc,
- awareness of good practices regarding personal data,
- regular backups of files, non-disclosure of sensitive data to unauthorized persons..,
- clarification of the rights of individuals according to their department.
How can you optimize your HR data?
Optimize your HR strategy with the most effective management tools on the market, and give your company a head start.
Also read in our "HR Data" feature:
- Aligning HR data with the company's strategic challenges
- HR experts: making the most of performance indicators with your data
- Strategic Workforce Planning: what are the challenges for organisations?
- People analytics: data for recruitment
- Workforce analytics for career management
- Attrition, detection of high potentials, HR onboarding: concrete cases of HR data use
- A unique HRIS software to boost the potential of your HR data
- RGPD and HR data: good practices
- How to develop a data driven culture?
Contact
A project? A request?A question?
Contact us today and find out how we can work together to make your company’s digital future a reality.