HR departments deal with personal data daily, so the introduction of the EU General Data Protection Regulation (GDPR) will have a big effect. Staff will need to follow different processes for collecting and storing personal data, and learn how to comply with individuals’ strengthened rights.
For example, under the GDPR, organisations need to inform data subjects of their rights to access any personal data that the organisation stores on them and to rectify or erase personal data that is inaccurate or unnecessary. They also need to let data subjects know how long their data will be stored and if any data will be transferred to third parties.
However, these requirements are relatively straightforward compared to other parts of the GDPR. We’ve outlined three of the biggest challenges HR departments must address.
Many organisations rely on consent to process employees’ personal data, but as AmCham Belgium explains, this approach has been strongly criticised. The problem largely stems from the imbalance of
power between the employee and employer. Employees often feel obliged to consent, or else they’ll be labelled as ‘not a team player’, or worse yet, made to feel that they have something to hide.
The GDPR nullifies any consent that is given between an employer and employee. It also emphasises that consent is only one legal basis for processing data, and advises organisations to only seek it if no other legal ground applies.
AmCham Belgium writes: “This could be the contractual necessity (e.g. for the processing of employee payment data), a legal obligation (e.g. for the processing of employee data in relation to social security) or the legitimate interest of the employer (e.g. in the context of employee monitoring).”
According to a 2016 CareerBuilder survey, 70% of hiring managers and HR professionals said they used social media sites to screen potential candidates, and 57% said they were less likely to interview a candidate who they couldn’t find online.
Given the amount of data people post publicly online, it’s easy to see why HR departments would want to ‘snoop’ on people – particularly as some of these platforms encourage users to list their place of work. However, the practice will be more closely scrutinised under the GDPR, and organisations need to document legitimate reasons for looking up employees and candidates.
For example, employers would be permitted to research an individual if it came to their attention that they had posted confidential company information on social media or were making derogatory comments about the company or any of its staff.
If, in doing this, the employer came across additional information that they weren’t specifically looking for, they should ignore it.
As AmCham Belgium writes, the GDPR introduces a number of new requirements that should “trigger a shift from paper-based compliance to actual and demonstrated compliance in the field. As a result, the obligations to notify processing activities to the data protection authorities will be abolished”.
Those obligations include the appointment of a data protection officer (in some circumstances), carrying out data protection impact assessments and consulting with data protection authorities before commencing new data processing activities.
Prepare for the GDPR
Organisations preparing for the GDPR will probably have a team of compliance practitioners putting in place the appropriate measures. However, it’s equally important that anyone who handles personal data – whether they are in HR or another department – is aware of their obligations.
Staff awareness training is an essential part of GDPR compliance, but it can be tricky putting together a comprehensive programme that addresses everything employees need to know. That’s why many people use our GDPR Staff Awareness E-learning Course.
This online course provides a thorough overview of the GDPR, explaining the Regulation’s principles and requirements. It uses simple, clear terms, so it’s ideal for anyone whose job involves handling personal data, regardless of whether they have any knowledge of the GDPR.