HR Manager is ready for GDPR

We are ready

In May ’18, the new data protection regulation will become effective and affect a lot a large portion of companies. This will generally mean that data must be handled in the proper manner as well as comply with the existing and upcoming demands for this regulation. It is furthermore very important to have all certificates in place, in order to make sure all data is encrypted and for a lot more reasons. HR Manager is fully compliant to all the demands, since we as a supplier of software systems, must be compliant to the HR and Recruitment business.

What does GDPR actually mean?

“GDPR” General Data Protection Regulation”, is the English abbreviation for the new EU personal data regulation, which will become effective the 25th of May, 2018.

Good customs and respect for data

Digital data is necessary for our company, and it is very important always to have an eye on good data customs, when it’s regarding personal data – which unfortunately is not always upheld.

But what is good data customs?

Here are a few examples described:

  • Only gather necessary information for stated and objective purposes – there must be a reason for the information and it must be documentable
  • Treatment of personal information must be relevant to the purpose, to which the information has been gathered
  • Register the data correctly and delete the data when it is no longer relevant to store

Is there a difference between data?

Personal information can be divided into three groups, which is generally described here:

  • Non-sensitive data (can often be treated without consent):
    • Name, contact information, sex, age, interests, education etc.
  • Sensitive data (typically requires special legal basis or significant interest):
    • Race, religion, union relations, health information etc.
  • Private relations/information (must typically be treated with consent):
    • Criminal relations, personal tests and references

Remember that e.g. criminal records are only to be obtained, if it is relevant for the position, and it rarely makes sense to store them. Therefor you can e.g. ask the candidate to bring the criminal record to the job interview, which you can register that you have seen.

More rights as an individual

The data regulation provides a number of rights for people, including:

  • The right for receiving information regarding the purpose of the gathering of information
  • The right for receiving insight on the data registered on one self
  • The right for having all data deleted or wrongful data edited

Consequences if i do not act?

It can have major consequences for corporations not to act on the GDPR e.g.:

  • fine up to 20 million euros or up to 4% of the global early revenue
  • media focus in the form of bad publicity
  • loss of credibility with customers, partners, suppliers etc.

Do I need to hire a DPO?

Find out whether you fit into the three different categories mentioned below. If “yes”, you must hire/appoint a DPO (data protection officer) who must ensure that the treatment and protection of personal information is upheld.

The three categories:

  1. All public authorities (except courts)
  2. If your company’s main activity consists of treating personal information
  3. If your company’s main activity consists of treating sensitive information in a large scale, or information on criminal relations

Create a compliance report

You must create a general compliance report, typically based on a gap analysis between current and future focus areas in regards to the data protection regulation.

This report must amongst others describe how data is being stored in the company, which data is relevant to store, who has access to the data and how is it being deleted. It can be an advantage if a project group is created from different departments, so several perspectives regarding the data flow automatically is created.

Data controller vs. data processor

It will be mandatory for corporations to have all data under control and comply with the different demands and legislations which will be fully on place in May ’18. Typically, it will be the DPO who must map and describe the different areas within company’s data treatment. If there is not appointed a DPO, the task will typically land on the desk of IT and HR, who must in cooperation make sure the company is compliant.

There are two important terms, that you must know:

  • Data controller
    • A ”data controller” is the person who decides the purposes of why and how information is being gathered.
      This can e.g. be an authority who has been imposed to treating personal information, or an employer that treats personal information about their employees and customers
  • Data processor
    • A ”data processor” is the one who handles information on behalf of the data controller. The data processor never treats personal information for their own purposes and must only use the information that has been agreed upon with the data controller.
      This can e.g. be a corporation that handles another business’ IT systems. It can also be a supplier of a web hotel or a collection agency.

Data processor agreements

A data processor agreement is a written agreement between you as being the data controller and the supplier who stores/treats data for you. You must have a data processor agreement with all your suppliers who stores/treats your data.

We do of course offer data processor agreements to all our customers to comply with GDPR.

The regulation in practice – visual data flows and checklists!

The most crucial element to begin with, is to draw your data flow from recruitment to resignation; ”from cradle to grave”, as some may call it. It can mean a great deal for you to know which data is worked with in the corporation. We would also love to help you if you need any sparring and input.

A good idea can be to create a row of checklists from your everyday reality, with the purpose of creating an overview of what it means in practice to secure compliance.

Down below we have created examples for checklists within 3 different areas; recruitment, onboarding and HR management. This checklist is mean for inspiration and everything mentioned is something we can contribute to with our full HR platform.

Check list for recruitment:

  1. Avoid receiving documents from candidates through excel or emails – but have a digital process
  2. Candidates and unsolicited applicants must accept you storing their data and have the right to know which data you are using and for what purposes. The candidates are also entitled to know who has access to their data and the amount of time it is meant to be stored
  3. Remember that the candidate at any time can withdraw their acceptance/consent
  4. The candidate can to their own advantage, log in to their own profile and receive insight and delete information
  5. All candidates’ information must be deleted after the given period (including back up files)
  6. The results from testing tools/references are in some cases sensitive data
  7. Be attentive to which data you are acquiring in the hiring process, such as sex, nationality and a lot more, that may have country specific rules
  8. Remember that a criminal record can only be acquired if it is relevant to the positon and it rarely makes sense to store them
  9. Make sure there is a registered log of activities, so you can always go back and see who has done what to the data, including when they did it
  10. Send employment contracts, consents etc., secured by using digital signature
  11. It can be a good idea to have security precautions when logging in, e.g. 2 factor login. This login opportunity can create awareness regarding the protection of all the data that is stored on the different computers, by confirming identity

Check list for onboarding:

  1. Only gather necessary information for stated and objective purposes – there must be a reason for the information and this must be documentable
  2. The sensitive information regarding new employees should be received digitally and preferably directly from the employee
  3. Personal information can only be passed on to external sources (e.g. pension contractors and wage distributors) in a secure format
  4. Avoid excel, email and mass involvement of several internal employees by structuring your onboarding process digitally
  5. Send employment contracts, consents etc. securely by using digital signature

Check list for HR management:

  1. An employee has the right to receive insight regarding all data stored on them in the corporation. This must be simple to send to the employee
  2. Consents regarding storing the employee’s data within the corporation, who has access and when using the employee’s photo(s)
  3. Make sure the HR and employee documents are safely stored
  4. Send employment contracts, consents etc. securely by using digital signature
  5. Divide access levels in regards to which people should have access to which employees’ data (IT roles, wage roles, DPO roles etc.)
  6. Try and receive the employee information directly from your recruitment or onboarding system so you avoid having to type information twice and avoid mistyping
  7. Potentially create email notifications by expired driver’s license, child certificate, criminal record etc., so you always have the most recent information on the individual employee
  8. Store your appraisal forms and development plans digitally so there will be no doubt regarding where the data is stored
  9. Storage of employee information must be deleted or made anonymous when it is no longer necessary or relevant to store
  10. It can be a good idea to have security regulations when logging in, e.g. 2 factor log in. This login opportunity can create awareness regarding the protection of all the data that is stored on the different computers, by confirming identity

Our future work with GDPR

With our three systems which can be integrated into one combined HR platform; Talent Recruiter, Talent Onboarding and Talent Manager, we offer functionalities that complies with HR’s work with GDPR.

We have already created an IT document which describes what we are focused on in regards to development. We have furthermore created a FAQ about HR Manager and GDPR for all customers who wants it. The FAQ describes often asked questions in regards to storage of the data, how we store it and which security precautions has been put in place for making sure our customers know that we as a supplier, are compliant.

In the beginning of this year, all of our 800 customers received an invitation for webinars, focusing on how to exploit the opportunities within the system, that has been developed for GDPR.

We would like to have a chat with you

Here in HR Manager we love to tell you how we can contribute to your compliance process with recruitment, onboarding and HR management in ONE combined solution – with the opportunity for integrating the platform to other systems, such as test, wage, time registration, time planning etc.

We would love to answer all your questions and be a part of your compliance process. This is why we offer you a noncommittal professional chat regarding your issues. We will be advising you in regards to your corporation’s needs.

You are very welcome to contact your local office in Denmark, Norway or Sweden – it will be our pleasure to show you how we can contribute to all your daily processes.