The entry into force on 25 May 2018 of the European Union’s GDPR regulation has turned corporate HR departments upside down. And with good reason: every day, they collect personal data necessary for the smooth running of the company and the professional lives of employees.
HR starts accumulating personal data from the moment a prospective employee submits their CV. They gather more data during the recruitment process, and still more when creating the employment contract – think bank details and copies of educational diplomas. They also manage personal data, such as medical documents, pay slips and travel expenses.
HR departments are therefore the first to be affected by the GDPR – a law that provides a framework for processing personal data to protect personal privacy.
Restrict data access
To ensure compliance, HR must protect employee personal data as far as possible and put the appropriate data access procedures in place at all levels
For example, access to personal data must be restricted to those responsible for recruitment and personnel management. This is to guarantee the confidentiality and absolute security of information such as bank details or national insurance numbers.
In some cases, management may consult certain documents on request, while staff representatives may only access the data contained in the personnel register.
Ideally, the company should appoint a Data Protection Officer (DPO) to oversee these processes.
Keep data collection to a minimum
HR departments must create a data processing register and reduce the amount of personal data they use as much as possible. Data collection must be limited to only that which is necessary for the purpose, particularly when sensitive data such as medical records is involved.
Employees, meanwhile, can request a copy of all their personal data, in accordance with the GDPR’s right of access. They also have the right to rectify inaccurate data.
It is HR’s duty to ensure that employees understand how their personal data is processed and used. All processing must be disclosed: transparency is key.
HR must also introduce new procedures to prevent any breach of personal data and to keep employees as well informed as possible, training them and keeping them up to date with changes to the IT charter, for example.
HR can use a data protection impact assessment (DPA) to prove that high-risk processing operations comply with the recommendations of the GDPR.
Comply with legal retention periods
Once an employee has left the company, HR must dispose of their personal data (and not keep it indefinitely) in compliance with the legal retention periods in their country.
For example, in France, it’s five years for physical payslips from the date of the employee’s departure, or three years for disciplinary sanctions. Electronic payslips must be kept for 50 years. For data that is not subject to a legal retention period, it is up to the DPO to determine the retention period, depending on the purpose of the document. See the differences between physical or digital documents management.
Following a recruitment drive, a company can retain candidate data for up to two years, provided the candidate hasn’t requested its deletion. HR is only allowed to request information relevant to the specific position.
If HR departments fail to comply with the GDPR, they expose their companies to four levels of penalty, ranging from a warning or formal notice to administrative sanctions.
In the event of a serious breach, the fine can be between 2% and 4% of worldwide turnover or up to €20 million. Criminal penalties may be applied, with fines of up to €300,000 and imprisonment for up to 5 years.
Our experts can assist you with your Records Management strategy and offer a full-spectrum service in documentation management, anywhere in the world. Contact us today!
