GDPR (General Data Protection Regulation) has been in effect in all the countries of the EU, including the UK and Norway, since May 25th. Most of the focus in the media leading up to the implementation of GDPR has been on making sure customer data is safe, partly due to astronomical fines for non-compliance.
With all the customer data coverage, it almost seems that the issue of employee data protection has slipped through the cracks. As a result, HR organizations still struggle to grasp and keep to their new legal obligations when they collect, process and retain employee data. To understand how GDPR affects HR data collecting and processing, we must take a more in-depth look at the issue.
What Is the Single Basis for Lawful Processing of Data?
When it comes to the basis for the lawful processing of data, the one that is most frequently chosen and discussed, is consent. However, it may not be the optimal choice for handling employee data, because there are so many forms of HR data needing processing that giving one-off consent for all won’t turn out to be GDPR compliant. Either the employees would have to give permission for every possible scenario of processing requirements, or something else needs to be the single basis for lawful processing of data.
In solving this, HR organizations are opting for legitimate interests as the legal basis for employee data collecting and processing. According to GDPR guidelines, organizations can still use employee data without their explicit consent for every use, if using that information is essential to running the company. Of course, there is a caveat — individual rights may override this. For example, you need a bank account information to pay your employees, so that legitimate interest would cover that. However, you wouldn’t be able to move your email monitoring of past work emails into personal territory, to protect your employee’s rights.
How Long Should You Keep Your HR Records?
GDPR hasn’t changed the DPA law much when it comes to retention periods for records. However, there are those records that the DPA hadn’t defined, leaving it up to organizations to take care of (such as CVs) that GDPR has some guidance for. It’s especially important to keep in mind that GDPR, unlike DPA, has some additional requirements for the HR departments. They must be able to demonstrate why each category of personal employee data is being kept. Also, they should be able to explain the reasons why retention of this data lasts as long as it does. Chartered Institute of Personnel and Development (CIPD) offers some guidelines on crucial retention periods.
How to Solve the Problem of the Data You Already Hold
GDPR does not only apply to the data your HR departments will gather in the future. They also need to make sure all the previously collected data categories comply with GDPR. If you chose legitimate interest as the single basis for lawful processing of data, then you must make sure everything you received can be used according to the rules.
If not, you either have to delete the data or seek explicit consent to continue using it. Approval must not be part of an employment contract, and the employee must understand that they can withdraw consent at any time. Another essential piece of the GDPR puzzle is transparency. You have to be open about what data you’re collecting and why, and employees must understand what you use it for.
Is It Up to HR to Educate Staff about GDPR?
HR seems to be a logical place to start educating the staff and influence a change in company culture. However, getting them into that position would take some preparation. Everyone in the organization needs to understand both how their data is being used, and how they need to protect data. That includes the HR departments, whose awareness of GDPR issues is not always unusually high. However, it’s clear that GDPR is something HR should be dealing with. In changing how we think about data and data protection, the staff needs to be well educated on what the best practices are, and what consequences there might be for non-compliance.
How to Educate Staff about GDPR Compliance
The problem about compliance efforts is that they will fail unless your staff truly understands the problem. It takes the initiative to change long-standing habits, and employees aren’t always motivated to do it. In having everyone on board, you should start with the senior leadership. Have them lead by example along with the HR department by showing up in training and being actively involved in staff education.
The ultimate goal is to move beyond a vague understanding of GDPR that leads to your employees cutting corners. Instead of them merely getting through training and learning nothing, they should be able to understand how GDPR affects their work, and what responsibilities they have. It’s especially important when it comes to internal data risks, considering that most data breaches start from the inside.
Motivating Staff to Go through Training
A lot of company leaders underestimate the value of some friendly in-house competition. That can also help with making the training continuous. Additionally, in mentoring your employees and helping them be more compliant; you can offer incentives for good training performance. Create a competition between departments or teams, providing a monthly reward to the most compliant team. You’d be surprised at how much of a positive effect this could have on your employees’ enthusiasm. Your employees will appreciate it even more if the reward is an experience rather than a simple material incentive. Of course, before starting the competition, you’d need to determine how relevant each compliance action is. In other words, you should come up with a way to keep score.
GDPR does not have to be a curse and a threat to contend with. It’s crucial for any business to keep employee and customer data clean, and being GDPR compliant can only help with that. Another way to make sure your employee and customer data is accurate is to use RunnerEDQ’s software solutions that fit the unique needs of your business.