What is GDPR?
GDPR stands for the General Data Protection and Regulation, which went to effect on May 25th, 2018, and is the EU’s data privacy regulation. Any country under the European Union is subject to GDPR, whether in Europe or not, as long as there are employees or freelancers residing in the European Economic Zone. Third parties who handle personal data must also comply with GDPR standards of data processing.
Case Study: How Butlers HR set up to be fully GDPR compliant and transformed its employee onboarding experience
How GDPR Impacts HR
GDPR changed the requirements for personal data management – giving employees the following rights:
- Right to rectify: Employees can request their data to be updated or deleted.
- Right to request deletion: Employees can request their data to be deleted in its entirety or partially.
- Right to obtain: Employees can request a copy of their data in digital format, also known as “Data Subject Access Requests”. To help companies meet this requirement, PlanetVerify provides a feature which sends a list of all data items to the data subject with just one click.
- Right to object: Employees have the right to stop their data processing.
Companies, for their part, are entitled to process personal data under the following conditions: contractual requirements, legal obligations, vital interests, consent, legitimate interest, and tasks carried out in the public interest. The condition of “legitimate interest”, in particular, does provide companies with at least some measure of flexibility when it comes to managing personal data.
Since HR deals directly with employees’ personal data, GDPR has impacted HR in a number of ways:
- Third parties are now held accountable. If the HR department outsources another company to process personal data, the outsourced company is subject to GDPR compliance, as much as the company outsourcing is.
- More data is subject to GDPR compliance. More data is subject because GDPR has created a broader definition of data, which is defined as, “any information relating to an identified and identifiable natural person.” The previous directive (1995 EU Data Protection Directive) covered the ‘identifiable’ person only.
- The scope is wider. GDPR covers all EU-based employees, as well as those outside the EU who handle, store, manage, or process EU residents’ data. Whether the employees are in Europe or outside Europe but handling data within the European Economic Zone, they have to be subject to GDPR.
- Reporting data breaches within 72 hours. Supervisory authorities and affected employees should be notified about the breach without unnecessary delay.
- Data Protection. Appointing a Data Protection Officer is a GDPR requirement for those outside Germany.
How HR Departments can meet GDPR Compliance Requirements
There are a number of steps HR can take to ensure they remain GDPR compliant.1. Limit personal data access: One of the ways to handle data in a GDPR-compliant manner is to ensure that only the right employees have access to the right data. Lock down system-based rules and permissions where necessary to make sure that team members who do not require access to employee personal data do not have access to it. You should also expand a strict permissioning policy to cover any outside vendors and contractors as well who are given system access. 2. Review and update HR processes on an ongoing basis. The introduction of GDPR in 2018 meant companies, and HR teams in particular, had to review and update many of their processes. Now, some years later, companies must not get complacent. In fact, GDPR fines are rising each year, so companies should review their processes on a regular basis and look to eliminate any potential risks. For HR teams, in particular, it is best practice to apply the minimization principle when it comes to managing personal data — meaning companies should limit the collection of personal data to the data that is strictly necessary to accomplish a specified purpose. 3. Review Privacy Policies: HR should work with the relevant departments be it Legal and/or Compliance to review privacy policies on a regular basis. Not only does GDPR require that employee rights around personal data are upheld, these rights must also be clearly stated. 4. Data purging strategy: HR teams should ensure they have a data purging plan in place. One way companies can find themselves breaching GDPR is by holding onto an employee’s personal data for longer than is required. Every file or data that the company no longer needs should be deleted promptly. 5. Document everything by keeping an inventory of data collected over time, how the data was used is also important to note. Having such a comprehensive record helps with response to questions that are regulatory.
For a more detailed breakdown of steps HR can take to remain GDPR-compliant, check out this post.
There are a number of GDPR misconceptions that have arisen since it was introduced.GDPR does not apply to non-EU companies. This misconception can cost companies dearly. GDPR applies to non-EU companies who meet one of the following conditions.
Companies who provide goods or services in the EU.
Companies who monitor the behaviour of EU-based individuals.
Companies who have branches in the EU.
Growing GDPR Awareness
In general there is a growing understanding about the importance of personal data and GDPR compliance. Employees now expect that their personal data must be handled with care. RSA Security LLC, an influential US security company, showed in its Data Privacy & Security Report that people are starting to care a lot about privacy issues. 72% of US respondents said they would boycott a company that appeared to disregard the protection of their data and 50% of all respondents said they would be more likely to do business with a company that could prove it takes data protection seriously. Another astonishing finding from the survey was that 62% of the respondents would blame the company instead of hackers for data loss in the case of a breach.