The way businesses and people look at their data has changed dramatically in recent years. Since the implementation of the EU’s General Data Protection Regulation (GDPR), organisations of all shapes and sizes that deal with personal data processing have had to make big shifts in many aspects to how they collect, manage, and store personal data.
As a consequence HR departments have had a lot of information and knowledge to catch up with and digest. And with the plethora of information still coming out as data protection rules and regulations change around the world, it can be difficult to know what information to count on.
In this article, we’re going to discuss what professionals in HR departments need to know about data protection. We’ll delve into the most important aspects in regard to keeping your organisation and the data of the individuals you work with secure. This way, you gain the information necessary to safeguard your work and arm yourself with the knowledge for this ever-evolving world of data—including some of the key GDPR issues relevant for HR professionals.
There must be a lawful basis for data processing
Since the implementation of GDPR, organisations must now always document their reason behind processing personal data. The GDPR outlines six lawful bases appropriate for specific circumstances:
- Consent: The individual must agree to the processing of their data.
- Contract in place: A contract must be in place with the individual to supply goods or services they have requested.
- Compliance with legal obligation: Processing data for a particular purpose is a legal requirement.
- Public tasks: This could be to complete official functions or tasks in the public interest, for example. This will typically cover public authorities such as government departments and schools and the police.
- Legitimate interests: It’s lawful when an organisation has a legitimate interest and reason for processing personal data without consent (including commercial benefit) as long as it’s not outweighed by any negative effects on the individual’s rights and freedoms.
- Vital interests: This could be when processing data will protect an individual’s physical integrity or life (either the data subject’s or someone else’s).
Rights of data subjects
Working in HR departments means working with and handling the personal data of colleagues, too. You must treat your organisation as data subjects in the same way you would with customers and clients.
It’s important to make them aware of their rights concerning the way your organisation processes personal information. There are eight data subject rights:
- The right to be informed.
- The right of access.
- The right to rectification.
- The right to erasure.
- The right to restrict processing.
- The right to data portability.
- The right to object.
- Rights related to automated decision making which includes profiling.
Your organisation’s data protection policy must state that employees can submit a DSAR (data subject access request). They must also be told how they can do this. This should be a simple process. Either a written or verbal DSAR will suffice. This can be as simple as an employee saying ‘I want to view my held data’.
Everyone in HR departments should be trained to recognise when such a data request has been made. They should then process in such a way that ensures they get the requisite information. They’re required to respond with a one-month deadline.
Handling job applications
Job applications hold a huge amount of personal data. HR departs handle CVs and applications which will contain names, addresses, email addresses and employment history.
Just like with employee data, HR departments must explain both their lawful basis for processing such data and how applicants can exercise their data subject rights. The GDPR states organisations can only keep personal data for as long as necessary for the purpose that it was collected. UK employers are legally required to hold on to job applications for six months, however, in case a candidate lodges a discrimination case.
Monitoring of employees
Under GDPR, both CCT and browser histories are classed as personal data. HR departments have access to these types of information and must be careful and lawful in regard to how they process this data.
Furthermore, organisations must have a clear purpose for monitoring and be unobtrusive. Under no circumstances are employers justified in using exhaustive or automated monitoring methods to access employees’ browser history and communications in the workplace—even if they feel they may find evidence they need for misuse.
Acceptable use
While all organisations are interested in ensuring a productive workforce, it must also be made clear that an organisation’s acceptable use policies are as much about data protection. Employees who don’t work in the way they’re expected can create security holes and even cause data breaches. This can be the case when, for example, employees visit disreputable websites which can be the source of viruses and malware and keyloggers which can steal vital personal information. This is, of course, not data protection.
While we’ve covered a great deal of ground, there’s a lot more to know about data protection for HR departments. DPO services can be a fantastic resource for understanding more about data protection in your organisation. They can offer expert advice that will keep your employees and public data secure and help you stay aligned with GDPR.
Article written by HR Future Staff Member.