HR plays a crucial role in an organisation’s GDPR (General Data Protection Regulation) compliance.
The department is full of personal data, whether it’s of employees, their next of kin or candidates responding to job adverts.
With such an active role in processing sensitive information, HR staff must make sure they’re doing everything necessary to protect employees and meet their regulatory requirements.
Let’s take a look at five issues that HR must address when handling personal data.
Lawful basis for processing
An organisation must always document the reason it’s processing personal data. The GDPR outlines six lawful bases that will be appropriate in different circumstances:
- Consent: the individual agrees to the data processing.
- A contract with the individual: for example, to supply goods or services they have requested, or to fulfil an obligation under an employee contract.
- Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
- Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
- A public task: for example, to complete official functions or tasks in the public interest. This will typically cover public authorities such as government departments, schools and other educational institutions; hospitals; and the police.
- Legitimate interests: when a private-sector organisation has a genuine and legitimate reason (including commercial benefit) to process personal data without consent, provided it is not outweighed by negative effects to the individual’s rights and freedoms.
Before the GDPR, consent was considered the easiest way to process personal data lawfully, but the Regulation has not only toughened consent requirements but also made it impossible for organisations to use consent to collect employees’ personal data.
That’s because it states that consent can’t be freely given if there’s an imbalance of power, which would be the case between an employee and employer.
HR departments must therefore seek an alternative legal basis, the most appropriate generally being contractual necessity, a legal obligation or legitimate interests.
Data subject rights
They may be colleagues, but when it comes to their personal data, you must treat everyone in your organisation as data subjects in the same way as you would with customers or clients.
That means making them aware of their rights concerning the way your organisation processes personal information. There are eight data subject rights:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights related to automated decision making, including profiling
The right of access is by far the most commonly accessed, because employees tend to review the way an organisation processes their data before lodging a complaint.
Your data protection policy must state that employees are welcome to submit a DSAR (data subject access request) and explain how they can do this.
There shouldn’t be a formal process; any written or verbal DSAR will do, even if it’s as simple as an employee saying, ‘I’d like to see what data you’re keeping on me’.
As such, everyone in the HR department should be trained to recognise when a request has been made and the process they should follow to ensure they get the requisite information and respond within the one-month deadline.
HR departments receive vast amounts of personal data whenever they post a job opening. CVs or applications will contain names, addresses, email addresses and employment history.
As with employee data, you must explain both your lawful basis for processing and how applicants can exercise their data subject rights. You could put this on the application form or link to it on your job posting.
Although the documentation process should be relatively straightforward – it’s generally accepted that you need to provide personal details when applying for a job – you should pay attention to data retention.
The GDPR states that organisations can only keep personal data for as long as it’s necessary for the purpose that it was collected. UK employers are legally required to hold on to job applications for six months, in case a candidate lodges a discrimination case.
However, you might want to retain data for longer than this – for example, if an applicant is unsuccessful on this occasion but might be suitable for future roles. This is an example of legitimate interests, and your data retention policy should state this if there’s a chance that you might want to hold on to applications.
There’s a good chance your organisation already has an acceptable use policy. They clearly explain that employees are supposed to be spending their time in the office working, giving employers reasonable grounds to discipline or punish those who don’t spend enough time doing their job.
But those who ignore this policy are not only slacking off but also potentially jeopardising the organisation’s security.
Many of the disreputable websites that organisations ban are renowned sources of malware and viruses, which can cripple networks or, in the case of keyloggers, surreptitiously siphon sensitive information.
Employees should also be instructed not to download files from untrustworthy sites or their personal email accounts. The organisation’s spam filters and anti-malware technology don’t extend to personal emails, so it only takes one employee clicking a phishing email to infect the whole organisation.
You must therefore make it clear that acceptable use policies are as much about data protection as they are about ensuring a productive workforce.
Although organisations might be tempted to implement monitoring tools to make sure employees follow acceptable use policies, they should be very careful about how they do this.
Employers are entitled to keep an eye on what their staff do during office hours, but both CCTV footage and browser histories are considered personal data under the GDPR, so organisations need a lawful basis before processing it.
They must also be as deliberate and as unobtrusive as possible in their monitoring. Under no circumstances are employers justified in using exhaustive or automated monitoring methods (such as spyware) to look through an employee’s browser history and workplace communications on the off-chance that they’ll find evidence of misuse.
Employers should also refrain from methods that leave no trace of their monitoring, such as physically sitting at the employee’s computer and looking through their private communications.
Get your team on the same page
Data protection is everybody’s responsibility; it’s no good having senior personnel understand their legal requirements and best practices if the rest of the team aren’t sure what to do.
Everyone who handles sensitive information needs expert training to avoid costly mistakes.
You can get started by enrolling on our Certified Introduction to Data Protection Training Course.
Designed by the team that introduced the world’s first certified GDPR training programme, this one-day course introduces your staff to your compliance requirements and the steps you should take to protect personal data.