Insights from DCS
Knowledge for the information generation

Reviewing Your HR Department’s GDPR Compliance

By Nicolas Zeguido - 25 Sep 2019

GDPR is not just about website pop-ups, customer surveys or marketing. When GDPR started to roll out in May 2018, many human resource departments had to review their privacy and personal data policies for internal staff.  Personal data is “any information relating to an identified or identifiable natural person.” blog-detail-hr-gdpr-compliance-DPI_72 

GDPR non-compliance can highlight HR inefficiencies or HR database vulnerabilities. For instance, in March 2019, Uber drivers have filed a GDPR-based lawsuit  because the company took longer than the 1-month deadline for Subject Access Requests . Later in July 2019, Citrix Systems was hit with an employee class action lawsuit for not adequately securing employee data. The inherent vulnerabilities led to a 6-month hack uncovering financial details of employees and their dependants.  

These are indeed high profile cases. But the number of employees does not effect the severity of the consequences. Keeping this in mind, Six GDPR pillars that all Human Resources Departments should pay attention to are: transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality. We address each of these pillars below and why they relate to human resources and employee data. This post can either reassure you or be a wakeup call to re-evaluate your HR processes!  

Transparency and Purpose Limitation: GDPR and Employee Privacy

Privacy can go way back to the employee’s applicant data held in their employee file. You can consider this the first point where you view a (now) employee’s personal data. 

Whether they submitted their application through an ATS or if they signed a paper form with an external recruitment partner, the applicant should be served with a privacy notice. Purpose limitation is the principle where data collection needs to be a part of your documentation and presented to the individual.  Background checks also fall under privacy. These checks should be proportionate and only carried out after you extend an offer. 

After the candidate is chosen and onboarded, HR staff can act as representatives and reassure employees that their right to privacy will be respected.  If your organisation must monitor your employees, then extra care should be taken so that they are aware why the monitoring is necessary. If there are any employee concerns about the organisation's use of their data, HR should provide a secluded space where the employee can voice their concerns.   

Accuracy: Handling Subject Access Requests 

Under GDPR, an employee as a “data subject” has a right to request personal information being used via a Subject Access Request.  Subject Access Requests should be done through official channels.

ACAS advises that SAR should be made in writing and include: 

  • The full name, address and contact details of the requester. 
  • The requested information required for retrieval and the corresponding time period.  

  • Employee identifiers e.g. employee id numbers or account numbers  

When reviewing your SAR processes, you should confirm if you are able to quickly show: 

  • Which employee data is being stored. 

  • Why this data is being stored. 

  • How the data is being processed and for what business use is this data being processed. 

  • The employee’s rights they hold while you are processing their data.  

As a data controller, your hr teams should let the employee know and deliver on a reasonable timeframe to fulfil their request.  Note that the Data Protection Act’s 40-day response policy has been shortened to a one-month response deadline under GDPR . Other transparent details you can give is which information the business can provide after an SAR and the extent of the search your organisation will be undertaking.  

If the 30 days has passed and it’s decided that the SAR won’t be fulfilled, the employee has a right to know the reason for refusal and the right to judicial appeal. 

Data Minimisation : Qualifying legitimate interest for personnel data collection for GDPR compliance 

You could run into a lot of questions about the data after an SAR or an audit.  Organisations should be able to prove “legitimate interest” of any piece of data. Using an employee’s catch-all consent by itself is a thorny matter because there can be underlying power dynamics at play. An employee could feel they have no choice but to consent.  

Any employee data used should only be acquired and processed if the data is necessary for them to fulfil their role. One example is financial information so that their salary can be processed. If you suspect there might be a challenge to the appropriate use of employee data, you should check whether or not your company has a “legitimate interests policy”.  

A legitimate interests policy gives an overview of situations where a piece of information is processed by HR (or any department really) and the valid reasons for data processing.  Don’t treat it as an inconvenient layer of bureaucracy. A “legitimate interests policy” is an opportunity review any data waste! 

Storage Limitation : HR GDPR Policies for Data Retention and Disposal  

GDPR has introduced a “storage limitation” principle. All data should be on a retention schedule within legal time limits and not be kept indefinitely. Not all employee and HR information follows the same retention schedule.   

As HR staff, you should always review and keep up-to-date with the latest document and records retention periods. Also, keep tabs on your organisation’s security measures for existing data and policies on how the data will eventually be destroyed/disposed. 

Employee data can live in many mediums. It can be include: e-signatures for a new contract, hand-filled surveys, or salary information in spreadsheets.  From an organisational standpoint being able to quickly retrieve employee data benefits storage limitation audits, SARs, and security breach reporting. We recommend converting as much of your paper forms into electronic data as soon as possible so you can create e-discoverable databases. 

Integrity & Confidentiality : Employee Data Breach Reporting and GDPR Compliance

You may think you are fulfilling your GDPR obligation to your employee once the SAR has been done and dusted. But the data (and your compliance) can still be taken out of your hands. 

If at any time, a data breach occurs that would compromise employee data, other relevant legal authorities, *and* your employees need to be notified. The current reporting time-frame is 72 hours. You should check that your organisation has internal processes in place to that can meet that time-frame.  Ideally these should match ICO recommendations on data portability

Employee Data Breach Prevention 

There are ways to ensure that employee data remains secure while satisfying GDPR requirements. One method is using a system or working with a partner that uses any of the following international standards: ISO 27001, ISO 27002, 27017, or 27018. If you happen to use SaaS or managed hosting, one piece of good news is that most managed hosting providers use ISO standards. 

Other organisation-wide suggestions fall under IT best practices. Standards should be present for authentication, encryption, and authorisation protocols for devices and databases holding employee data. 

Need a Hand? 

Data Capture Solutions (DCS Ltd) regularly automates and secures files held by large HR departments. Our managed services division can provide free consultation to explore where you are in your digital journey; such as what the best way you can approach records management, automation, or weaponizing business intelligence. 

Browse our HR Solutions 

View our print our HR brochure    

Here is a webinar slide deck you can take with you for digitising your HR records. See the slide deck.