As a human resources (HR) professional, you may be groaning at the thought of more, required compliance measures. But no one said this would be easy. Some changes are worth the trouble and the GDPR is among those. Plus, noncompliance can be awfully pricey. Companies charged with violating the GDPR face a potential fine of €20 million or 4% of global revenues.
Because the HR department handles sensitive and confidential information, including employee salaries, bank details, contact information, and medical information on a daily basis, HR professionals must make sure they correctly collect and process personal data in compliance with the GDPR. HR doesn’t just handle employee data; they also handle the personal data of temporary or agency workers, contractors, consultants, sales agents, and job applicants. Thus, HR professionals should be well-equipped to lead by example and demonstrate to the organisation how personal data should be handled in light of the GDPR.
Let’s take a look at the top five things HR should do to comply with the GDPR, to process the personal data of employees and job candidates.
1. Gathering Consent
Consent is a major piece of the new legislation, and the GDPR states that companies can only use personal data for the specific purpose authorised. For HR departments, this means employees must explicitly opt in to allow their employer to use their personal data, and they must be made fully aware of how that data will be stored, controlled, and managed. In other words, HR departments must be transparent with their company’s employees about what data is being collected, for what purpose, and how the data will be used.
Should you assume that general consent clauses in employee contracts comply with the GDPR? Not necessarily. A general consent clause that does not outline how the company will use the information, or a blanket consent that covers a broad range of unrelated uses in an employment contract, is not sufficient to enable a company to process an employee’s personal data.
What is sufficient, then? A simple data privacy statement signed by employees. Then, you can only use the data for the purpose for which it was granted; if you want to use the data for a different purpose, you must seek permission in a separate document signed by an employee. Failing to do this exposes organisations to severe penalties.
How should you update consent wording? Review and update consent wording in employment and services contracts, online forms on employee portals, “careers” pages on company websites, and onboarding forms.
2. Ensuring Valid Consent
What does valid consent look like? Under the GDPR, companies must show that employee consent is:
• Freely given, specific, informed, and unambiguous.
• Authorised by a statement or by a clear deliberate action.
• Presented clearly and separately.
• Documented.
• Easy to give and withdraw.
It’s important to note there are exceptions to the consent requirement. HR can process employee personal data without obtaining consent from the employee only when it is necessary to process the data. Such instances include:
• Complying with a company legal obligation, like a request from the tax authorities for details of an employee’s income.
• Protecting legitimate company interests if not overridden by employee rights. For example, detection of fraud or organisational security by reasonable means.
• Fulfilling the employee’s contract, such as processing payroll for an employee.
3. Employees’ Rights to Their Information
Under the GDPR, employees have the right to view and manage their data, including data access requests, data modification rights, and the right to be forgotten.
Employees may have the right to:
• Request mandatory information about how organisations are using their data.
• Access a copy of their personal data processed by organisations.
• Ask for corrections of inaccurate or outdated information.
• Restrict processing of their information.
• Request that organisations delete their personal data, such as when the data is no longer needed for the original purpose.
• Request that information they have given organisations be presented to them in an easily accessible format.
• Object to certain types of processing.
4. Reassuring Employees
The HR department should make a concerted effort to reassure employees of the rights to their data. HR must clearly communicate through bulletins on the company’s intranet, email, and other effective communication channels that employees, temporary workers, contractors, consultants, sales agents, and job applicants have a number of rights when it comes to their personal data. The communiques should include specific instructions for viewing, managing, accessing, and modifying their data, and requesting the right to be forgotten. The language should be clear, prescriptive, and steer employees and others through the processes.
5. GDPR and Recruiting
The GDPR is overhauling the way data is handled during the recruitment process. Prior to processing candidate data, companies must have a legitimate interest. According to the GDPR, you can collect data only for “specified, explicit and legitimate purposes”. So, for instance, you can source candidate data, as long as you only gather job-related information and you plan to contact candidates within 30 days.
To process sensitive data, you must first obtain candidate consent. The GDPR requires you to attain consent when processing disability information, cultural, genetic or biometric information, or to conduct a background check. In these cases, you must explicitly ask for consent and provide instructions to candidates for withdrawing their consent at any time.
You must also be transparent about processing candidate data. Companies must have clear privacy policies that recruiters must make available to candidates. You must also disclose where you store candidate data and state that you will use this data for recruitment purposes only.
The HR department sets the tone and timbre of an organisation’s company culture and establishes processes and procedures for legal and regulatory compliance. Therefore, HR must lead the organisation in GDPR compliance and ensure the other departments align with the GDPR’s mission to safeguard the personal data of temporary workers, contractors, consultants, sales agents, and job applicants.