Here’s a GDPR (general data protection regulation) update to our article based upon the 2023 European Commission suggested reforms.
2023 Updates: More frequent monitoring
According to TechCrunch, federal agencies providing oversight of national supervisory data protection initiatives will be required to monitor and report upon data protection cases to the European Commission bi-monthly (every two months, or roughly six times per year). Heightened monitoring efforts were put in place due to complaints of being too weak in overseeing ‘big tech.’ Specific criticisms were leveled due to open cases with Apple, Twitter and TikTok were still unresolved and pending decisions as of January 2023.
2023 Updates: Required reporting elements of key case details
In addition to increased frequency of reporting, agencies that supervise country data protection initiatives must also include within its reports certain reporting elements. They are:
- case number
- controller (company)
- investigation type
- investigation summary of scope
- identification of specific GDPR provisions alleged in violation
- DPA (data processing agreement between company; controller and data processor; third party service provider)
- procedural steps taken to date and the length of time taken to respond
- investigative measures and/or actions taken to date
2023 Updates: Commission Transparency
As the bodies at the national level are required to report to the Commission the required key case details more frequently, in turn, the Commission has committed to “reporting upon the information that its getting back from the DPAs.”
2023 Updates: Long arm of the European Union
Even if your small business is headquartered in the Americas or Asia for instance, you can still be impacted by the GDPR. The U.S. International Trade Administration ITA) warns US companies that fines imposed can “reach up to 4 percent of a company’s annual worldwide turnover or 20 million Euros or even higher.” The ITA provides a few examples of scenarios where the GDPR would apply to entities operating outside of the European Union.
- Use of an Australian Content Service while on Holiday in Germany (an EU member state)
- US mapping mobile application for tourists while visiting European cities such as Paris and Rome
For additional information on how the GDPR applies to the collection of EU consumer data, ITA recommends reading this guideline on the scope of territories covered.
Implications for Recruitment and Human Resources
This section was expanded from the 2022 version to include aspects for recruiting; a process that takes place when candidates are not yet included within the employer’s personnel pool.
Recruiting involves the collection, sorting, analyzing and potential storage of candidates’ personally identifying information to include behavioral assessment and personality test results. At this stage of processing, personal information can include contact information, university grades, certification credentials, background screening results, referrals, references, pre-screening and interview notes.
Here’s a brief synopsis from GDPR Summary. Potential employers are required to obtain explicit consent (freely given) by the applicant to collect personal information related to the applicant as they seek consideration for possible employment. Further, employers should state up front the type of information that will be collected and how it will be processed. Reputable employers should inform applicants that they have the right to withdraw from consideration at any time. Finally, companies should explain to applicants that the data contained within their application will be stored for consideration for future job opportunities and provide details on the procedures for withdrawing from consideration for future job vacancies.
Part of being in human resources includes gaining access to tons of information related to individuals in the employer’s personnel pool. Most notably, human resources and information technology professionals as they carryout their duties on a daily basis have access to highly sensitive information (or personal private information, PPI) of each employee working at the company. This identifying information such as: date of birth, place of birth, chronological histories of work locates and places of residence, social security number, driver’s license number is routinely collected and maintained by the human resources and information technology departments. In summary this personally private identifying information can be used by nefarious individuals, criminals and hackers to steal the identity of another person for financial gain.
Today’s digital age ensures that the transfer and sharing of data are not as tedious as it once was. While it guarantees speed and efficiency, it is also very easy to underestimate its capabilities. That is why it is imperative that companies need to be GDPR-compliant. GDPR or general data protection is a data privacy and security law enacted by the European Union (EU). This applies more so to people in HR. Here are the key changes on what GDPR means for HR.
A wider scope of responsibility
One thing to understand about GDPR is its scope. It’s not just limited to organizations in the European Union. Even if they’re not in the EU but have any employees or freelancers residing in the EU, they are covered by GDPR. It also applies even if said employee isn’t an EU resident.
HR is the central hub of all things to the company. This includes highly sensitive information pertinent to employees such as their personal information. GDPR does not take non-compliance lightly, and will impose penalties. It doesn’t mean GDPR is setting up companies to fail but rather stressing the importance of respecting an individual’s privacy.
2023 Updates: Minimizing amount of data collected
Additionally, GDPR Summary advises companies to limit the amount of data it seeks to collect from applicants and employees. A rule of thumb. Only collect and process the data necessary to effectuate a decision.
For instance, the answer for the question, “What type of pet do you keep?” is not relevant for a the job, Accountant. Therefore, it is necessary to collect this information. Each data element must be assessed using this standard. This includes too, potential queries about the applicant or employee health and criminal record information.
Minimizing the period of data storage
One of the GDPR mandates is data minimization. This means the company mustn’t store any information longer than necessary. It also means not using the data for anything other than the sole purpose it was given. In other words, it means being careful with the information entrusted to you.
It also means teaming up with different departments such as Legal or IT to decide on how to handle data that HR manages. This includes deciding the period to store data, which can range from 5 to 10 years. What to do if an employee is no longer working with the company as well as classifying which data is necessary and which ones could be deleted.
Other remote work, tele-commuting and work from home human resources policy articles of interest:
- 8 compliance tips for remote employers
- Payroll and Tax for Remote Workers
- The essential steps to writing a remote work policy
- 7 tips for conducting remote worker performance reviews
- The advances of remote work monitoring tools
- Essential remote worker background screening
Make employees aware of their rights under GDPR
Under GDPR, employees must be made aware of their rights to how their data is processed.
– Employees must consent to have their data processed. By data, this pertains to anything that HR collects from their personal information, even to their resumes. It is not just a matter of breezing through the whole thing either, data collection and processing must be explained in detail to the employee and they must explicitly state they understood and consent to it.
Right to be Forgotten
– An employee has the right to request for their data to be deleted, particularly if that data is no longer necessary. For instance, if they are no longer with the organization, then they are entitled to have their information deleted if they wanted to.
Right to Refuse
– Just as the employee gave their consent for data processing and collection, they can also withdraw it. It is not a matter of exercising their power over you. But if they feel that their personal information is being used in such a way that does not seem right to them, they are well within their rights to object to its usage.
Ensure active participation in observing GDPR
Once your organization’s GDPR checklist is up and running, one thing is for sure, compliance to GDPR takes an active effort. It is not just something you get over with. Remember, the information you are handling is connected to people.
This involves taking appropriate measures commensurate to the data it is protecting. You could also appoint a data protection officer (DPO) to ensure that the utmost discretion is exercised as well as beefing up your IT by opting for end-to-end encryption to make sure no data could be read.
Moreover, in the event of a data breach, the best thing would be to take responsibility and inform higher ups of data breach within 72 hours. That way the appropriate course of action could be taken while doing damage control to assess whether the data has been compromised and should be deleted or not.