GDPR: HR, are you protected from legal action?

Adopted by the European Parliament on April 14, 2016, Regulation 2016/679—known as the General Data Protection Regulation (GDPR) - took effect on May 25, 2018.

Here’s a refresher on key GDPR concepts, focusing on its application in Human Resources.

KEY GDPR CONCEPTS

• Material and territorial scope
  GDPR applies whenever personal data is processed “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union” (Article 3, GDPR).

• Personal Data (PD)
  According to Article 4, personal data is “any information relating to an identified or identifiable natural person.” HR teams must realize that an employee’s personal data goes beyond basic contact info. Any documented, usable piece of employee information is personal data. Thus, GDPR calls for a systemic data approach to grasp the overall complexity of data handling.

• Processing
  Article 4 of GDPR defines processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization….” Processing covers everything from gathering data to deletion, including usage, structuring, cleansing, analyzing, and storing it.

• Data Controller and Processor
  GDPR distinguishes between the legal or natural person determining the means and purposes of data processing (the data controller) and the entity performing processing on behalf of the controller (the processor).

MAIN OBLIGATIONS FOR BUSINESSES

European data-protection law rests on the following requirements:

• All personal-data processing must obey general principles spelled out in GDPR Article 5: lawfulness, fairness, transparency, purpose limitation, data minimization, data accuracy, storage limitation, integrity, and confidentiality.

• Unless processing is done in the course of carrying out a contract, fulfilling a legal obligation, protecting vital interests, performing a public-interest mission, or meeting a legitimate interest, the organization must obtain consent from the individual whose data is processed (Art. 6).

• Organizations have a duty to inform individuals whose data is collected, including the purpose of the processing, contact info for the data controller, data-retention periods, etc.

• They must also ensure data subjects can exercise their rights: rectification, erasure, data portability, objection… (Articles 15–21).

• Whenever possible, controllers must implement measures appropriate to the risk level to ensure data protection. These measures must be planned from the design phase of the processing and information system.

HR’S FRONT-AND-CENTER ROLE IN GDPR IMPLEMENTATION

HR is a corporate function that’s central to GDPR enforcement given its operations and interactions.

By nature, HR relies almost exclusively on personal data. From a candidate’s first contact during recruitment, HR collects name and diplomas; once hired, it gathers national ID numbers, marital status, training, performance reviews, leave requests, sick days…

HR may even collect sensitive personal data - for instance, medical, biometric or union-related information - subject to special, stricter regulations.

For HR, the “data subjects” are obviously all company employees - but also candidates under recruitment, spontaneous applicants and apprentices. Essentially, anyone whose personal data is collected and processed.

HR’s processing scope is extensive, covering everything from recruitment (even for spontaneous or unsolicited applications) to payroll, time management, career development, leave management and potential labor disputes.

Remember: non-automated tasks are also subject to GDPR, including paper documents like resumes, personnel files, or sick leave forms.

So HR tasks can’t be considered negligible in terms of personal data impact. Hence, GDPR compliance for HR processes is a crucial project for any organization.

HR AS KEY DRIVERS OF COMPLIANCE…

GDPR provides a framework offering some flexibility in application. As data controllers, HR must implement certain basics in a data-privacy policy to comply with GDPR:

• Map out collected data and processing by reviewing all HR activities and routines.

• Document that mapping in GDPR paperwork - particularly in a Record of Processing Activities (ROPA). This is a valuable tool for ensuring comprehensive GDPR coverage, listing the purposes for data collection, data types used, who can access it and how long it’s kept.

• Conduct a Data Protection Impact Assessment (DPIA) if certain processing might significantly affect individuals’ privacy (scenarios/risks/measures to mitigate those risks).

• Revamp internal practices, fix bad habits:
  1. Minimize data collection so it aligns with a valid purpose.
  2. Delete personal data (e.g., CVs of unsuccessful candidates, data of employees who left the company under “right to be forgotten”…).
  3. Fulfill data-subject requests (access, correction, review, deletion, objection).
  4. Report data breaches.

… AND MORE!

• Play a key part in executing the Personal Data policy via multiple communication channels: privacy charter, internal rules, IT policy, staff training, awareness of GDPR.

• Establish proper security measures to shield employee personal data from unauthorized access, disclosure, alteration or destruction - spanning IT measures (encryption, restricted access, firewalls, intrusion detection) and logistical ones.

• Ensure subcontractors provide sufficient guarantees, especially in security. As HR can employ external providers (IT outsourcing, payroll outsourcing, recruiters, event organizers…), these recipients of personal data must adhere to at least the same level of rigor. Formally specify this in contractual documents, including clauses defining the relationship between controller and processor, plus the latter’s obligations for security, confidentiality, and activity documentation.

…A MUST FOR PROTECTION FROM POTENTIAL LITIGATION

In any case, compliance guards against complaints from data subjects (an unsuccessful candidate, an employee in conflict with HR, an employee claiming insufficient data transparency or the company’s inability to fulfill data-subject rights).

All HR services are therefore impacted by GDPR, and given potential fines for noncompliance - up to €20 million or 4% of annual global turnover - compliance is vital.

Discover ACT-ON DATA. A project? Contact us.