Part of being in human resources includes gaining access to tons of information related to individuals in the employer’s personnel pool. Most notably, human resources and information technology professionals as they carryout their duties on a daily basis have access to highly sensitive information (or personal private information, PPI) of each employee working at the company. This identifying information such as: date of birth, place of birth, chronological histories of work locates and places of residence, social security number, driver’s license number is routinely collected and maintained by the human resources and information technology departments. In summary this personally private identifying information can be used by nefarious individuals, criminals and hackers to steal the identity of another person for financial gain.
Today’s digital age ensures that the transfer and sharing of data are not as tedious as it once was. While it guarantees speed and efficiency, it is also very easy to underestimate its capabilities. That is why it is imperative that companies need to be GDPR-compliant. GDPR or general data protection is a data privacy and security law enacted by the European Union (EU). This applies more so to people in HR. Here are the key changes on what GDPR means for HR.
A wider scope of responsibility
One thing to understand about GDPR is its scope. It’s not just limited to organizations in the European Union. Even if they’re not in the EU but have any employees or freelancers residing in the EU, they are covered by GDPR. It also applies even if said employee isn’t an EU resident.
HR is the central hub of all things to the company. This includes highly sensitive information pertinent to employees such as their personal information. GDPR does not take non-compliance lightly, and will impose penalties. It doesn’t mean GDPR is setting up companies to fail but rather stressing the importance of respecting an individual’s privacy.
Minimizing the period of data storage
One of the GDPR mandates is data minimization. This means the company mustn’t store any information longer than necessary. It also means not using the data for anything other than the sole purpose it was given. In other words, it means being careful with the information entrusted to you.
It also means teaming up with different departments such as Legal or IT to decide on how to handle data that HR manages. This includes deciding the period to store data, which can range from 5 to 10 years. What to do if an employee is no longer working with the company as well as classifying which data is necessary and which ones could be deleted.
Other remote work, tele-commuting and work from home human resources policy articles of interest:
- 8 compliance tips for remote employers
- Payroll and Tax for Remote Workers
- The essential steps to writing a remote work policy
- 7 tips for conducting remote worker performance reviews
- The advances of remote work monitoring tools
- Essential remote worker background screening
Make employees aware of their rights under GDPR
Under GDPR, employees must be made aware of their rights to how their data is processed.
Consent – Employees must consent to have their data processed. By data, this pertains to anything that HR collects from their personal information, even to their resumes. It is not just a matter of breezing through the whole thing either, data collection and processing must be explained in detail to the employee and they must explicitly state they understood and consent to it.
Right to be Forgotten – An employee has the right to request for their data to be deleted, particularly if that data is no longer necessary. For instance, if they are no longer with the organization, then they are entitled to have their information deleted if they wanted to.
Right to Refuse – Just as the employee gave their consent for data processing and collection, they can also withdraw it. It is not a matter of exercising their power over you. But if they feel that their personal information is being used in such a way that does not seem right to them, they are well within their rights to object to its usage.
Ensure active participation in observing GDPR
Once your organization’s GDPR checklist is up and running, one thing is for sure, compliance to GDPR takes an active effort. It is not just something you get over with. Remember, the information you are handling is connected to people.
This involves taking appropriate measures commensurate to the data it is protecting. You could also appoint a data protection officer (DPO) to ensure that the utmost discretion is exercised as well as beefing up your IT by opting for end-to-end encryption to make sure no data could be read.
Moreover, in the event of a data breach, the best thing would be to take responsibility and inform higher ups of data breach within 72 hours. That way the appropriate course of action could be taken while doing damage control to assess whether the data has been compromised and should be deleted or not.