More and more employers get into trouble for not complying with privacy laws. The media loves a good data breach and you may face serious fines if your department does not comply with the privacy laws. With all eyes on the GDPR, you have a couple of months to become (and stay) compliant with that framework, so let’s get started! Privacy valley has developed a 10-step method that will help your HR department towards better privacy.
Step 1. Start the talk
Starting discussions about data privacy and information security in your department is an important first step in becoming compliant and should be an ongoing process. This includes involving relevant stakeholders in determining where you stand right now in terms of compliance and where you want to be and involving stakeholders in the steps described below. Relevant stakeholders could be employees and outside staff working in your department, the data protection officer, the Legal counsel and IT departments, employee representatives and relevant external suppliers.
Communication with your staff also includes training your staff regularly on the requirements of your policies and the law. You should also inform the stakeholders what the risks and repercussions are of any non-compliance with the law, both for your company, the data subjects and the employees themselves.
How to?
¬ You can test your level of compliance and get practical tips on how to improve your compliance and embed it in your HR department with our Checklist: HR Practices
Step 2. Allocate responsibility and spot-check compliance
Formally allocating responsibility for data privacy and information security in your department will help you to effectively manage and co-ordinate data protection and make your business more accountable. The allocation of responsibilities should be part of (employment) agreements with your staff. Regular spot-checks of compliance with the duties in such agreements will enhance compliance.
If you have a bigger HR department, it is good practice to appoint a data lead (privacy champion) who acts as a first point of contact for data privacy issues and oversight of compliance. The lead should be appropriately skilled and have the necessary authority and resources to fulfill its duties.
Step 3. Define and analyze processes and high-risk activities
Some organizations are obliged to record their personal data processing activities. If this is the case, you should record all your personal data processes in a format as required by the GDPR. But even if this duty does not apply to your organization, describing and analyzing the purpose, scope and legality of your personal data processing activities, is paramount to understanding the risks thereof for the data subjects and your organization, and the measures you should undertake to minimize those risks.
How to?
¬ You can record your data processes with our Checklist: Privacy Register Controller
Once you have described the processes that include the processing of personal data, you should determine if any of these processes are high-risk for the protection of personal data. High-risk activities may require that you undertake some further analysis of the risks involved in the form of a data privacy impact assessment (DPIA or PIA). Common examples of high-risk activities in HR departments are: any use of new technologies, the use of profiling, the processing of information relating to criminal convictions and offences, any systematic (employee)-monitoring in open spaces or individual monitoring.
How to?
¬ Determine if you need to undertake a DPIA with our Checklist: Pre-PIA
¬ If the Pre-PIA results require you to undertake a PIA, you can use our Checklist: PIA
¬ If you undertake employee monitoring, you can use our Checklist: Employee Monitoring
Step 4. Analyze any third-party suppliers and partnerships
Your HR department most likely works with third party suppliers who process personal data on your department’s behalf. Think about a payrolling company or a pension provider, the supplier of an HR system, a cloud storage provider, company medical services, IT services to monitor employees, etc.
In addition, your department may partner with third parties in the processing of personal data. For example, a talent program which is set up between HR departments of group companies.
For each third party your department works with, you should consider what your role is (customer, supplier, partner, controller or processor) and clearly agree on your respective obligations regarding the personal data. If you work with processors, you should have processing agreements in place that comply with the GDPR. In addition, your department should have active controls in place to ensure it only uses third party processors that provide tangible guarantees in terms of expert knowledge, reliability and resources to implement technical and organizational measures to secure your personal data.
How to?
¬ Analyze your processing agreements with our Checklist: Data Processing Agreement Checker
¬ Generate new data processing agreements with our Checklist: Data Processing Agreement Generator
Step 5. Inform your staff
Your staff and staff-prospects generally have a right to be actively informed about the details of the data processing of their personal data by your organization. This means that at the time of gathering, you should inform them about -inter alia- the type of data that is gathered and how long you will store it for, the sources of your data, other recipients of their personal data and any international data transfer, the contact details of your DPO, the rights they have with respect to your data processing and where they can complain. In specific cases, you may have an overriding interest not to inform staff. This could for example be the case if you are conducting a fraud investigation.
Step 6. Data subject rights
As indicated in step 5, your staff have certain information rights with respect to the processing of their personal data. In addition, your staff may also initiate an access request to know which personal data you process regarding them, they may request rectification of the data you process, request restriction of your processing or object thereto, request erasure or data portability of the data regarding them. If you undertake profiling, e.g. in an automated selection process, or if you undertake certain data processing based on legitimate interest, they have the right to object to this. Your department should have a procedure in place to ensure that all such requests by your staff are assessed and handled adequately and in a timely manner.
How to?
¬ Use our Checklist Data Subject Request Handling (individual request) to register any requests and assess how you should handle an individual employee request.
Step 7. Recruitment
During the recruitment process a lot of, often sensitive, data is gathered and exchanged. You should ensure that you limit your data gathering to those data necessary for the type of job and the stage in the recruitment process that you are in. For example, if you require background vetting or information about a person’s criminal records, you should carefully consider in which stage of the recruitment process you require these data and what can be done to limit the impact of such a check.
In addition, it’s important that you inform prospects about the type of data you gather, how and for what purpose these data are gathered (see information rights above) and if any automatic decision-making is used in the selection process. The interviewers should be made aware that any interview notes may be accessed by the interviewee. Finally, you should consider that you are required to ensure the safe storage and transit of recruitment data. For example, if you provide the technical means for an online application or require that people submit their application via e-mail, you should ensure the safety and restricted access of the system in which these data are received and stored.
How to?
¬ review your recruitment processes and get practical tips to improve privacy with our Checklist: HR Practices
Step 8. Retention of data
One of the ways to minimize risk in relation to personal data is by simply getting rid of personal data you no longer need or no longer are required to keep. This is easier said than done though. HR records are considered very valuable records. A lot of organizations are not comfortable with the idea to delete any data in their HR records. The GDPR however requires you to think about retention periods for data and do exactly that for data that are no longer needed.
This means that you should determine for which purposes you retain personal data and define retention times based on business need and legal requirements. If you no longer have a legitimate purpose for keeping personal data, you should delete these.
Step 9. Sensitive data and health data
It is not generally necessary to seek a worker’s consent to keep employment records. It will usually be sufficient to inform your staff by following Step 5 above. However, the gathering of any sensitive data should be analyzed very carefully. If sensitive data are collected, consent may be necessary. This is mostly the case if the data gathering is not mandatory by law for the employer and there is no other legitimate basis for the data gathering.
Please note that any consent given in the context of an employee / employer relationship is subject to extra scrutiny. The consent must be given freely and comply with the other requirements of the GDPR. In an employer / employee relationship, it may be hard to obtain freely given consent due to the power imbalance in the relationship.
Please note that there are very strict limitations that apply to including health data in employee records. This means you should carefully review your employee records and have a policy regarding the type of health information that may and may not be included there. You should also consider reviewing your occupational health and safety service, any policy regarding sick leave and any sick leave reduction services offered by third parties.
Step 10. Policies and Data Breach Protocol
The results of your discussions with the stakeholders should be reflected in tangible rules, a policy with do’s and don’ts on data privacy and information security that everyone in your department can follow. Your policies should include guidelines on how to handle personal data and information security measures that must be followed.
In addition, your employees should understand what a data breach is, and you should have a clear protocol for data breaches.
How to?
¬ You can check your information security measures by using our Checklist: Cyber Security Quickscan. For a more comprehensive check, you can use our Checklist: Information Security Measures.
¬ Data breaches may be analyzed and recorded using our Checklist: Data Breaches.
All the Checklists referred to in this article are part of Privacy Valley’s compliance management software, which can be accessed at www.privacyvalley.com. For a free software demo, please contact us at info@privacyvalley.com or click on this link.
Helena Verhagen