The need to protect personal data impacts on HR activities daily; from recruitment and performance management to pay and benefits and the need to know next of kin. While it’s important that employers have a good grasp of data protection principles, the real challenge with HR GDPR will be in making sure that acting on those principles is ‘business as usual’.
HR GDPR steps that should have been completed by now
By way of recap, these are some of the key steps you should have taken before GDPR went live in May 2018:
Updated employee documents
- Issued Privacy Statements to all employees.
- Produced a separate Recruitment Data Privacy Statement for applicants.
- Updated your employment contract for new hires.
- Updated relevant sections of the Employee Handbook to explain how you treat data, including the Data Protection Policy.
- Updated any contractor/consultant agreement, to include a data processing agreement.
- Checked, updated or created a data retention policy.
Compliant data processing arrangements
- Carried out a data mapping and audit exercise to find out what employee data is processed, who has access and why.
- Put in place data processing agreements with third parties who process your employee data – e.g. pension and other benefits providers, IT support.
- Reviewed data security provisions and consider issues that could arise from the receipt, storage or other processing of personal data.
- Reviewed all data breach reporting mechanisms to test your ability to report a data breach within 72 hours.
- Tested your ability to respond appropriately to a subject access request (SAR) within one month.
- Issued guidelines and training for employees and line managers about how to manage personnel.
- Checked with the Information Commissioner’s Office (ICO) to see if you should register your company.
Easing the data management burden and HR GDPR responsibilities
Easing the data management burden and HR GDPR responsibilities As employers move on from the implementation of HR GDPR launch compliance to the normalisation of informed, secure data processing, there are various low-cost systems that can reduce the administrative burden of collating, storing, maintaining and deleting personal data. The most commonly used of these include:
Applicant Tracking System (ATS)
An ATS is used to support the recruitment and hiring processes and helps companies to collect, organise and filter applicants. There are quite a few on the market with different features, so you will need to research which one is right for your business.
A job seeker submitting their CV through an online form is interacting with an ATS.
The benefits of an ATS include:
- An online portal for candidates to easily submit their CV and contact data.
- Recruiting managers access candidate details through the portal – no need to circulate CVs.
- Shortlisting, candidate contact, interview scheduling etc. is all done through the portal.
- Historical data is automatically deleted.
- The candidate is in control of their data and can withdraw their information at any time.
- The ATS can be linked to the company careers page so agencies can also submit candidates’ details into the same portal, putting all data in one place.
- Some provide access to additional services, e.g. online testing.
- They can link to HRMS for pre-employment onboarding and auto-population of core data fields.
HR Management System (HRMS)
During an employee’s time with a company a wide range of information about them will be collected, shared and updated; from their address, bank, and pay details to information about their health, performance and conduct. HR GDPR principles apply to all such data, and an HR Management System is a great way for employers to control it.
The benefits of an HRMS include:
- Access to data is managed through security protocols on a ‘need to know’ basis.
- Self-service access gives employees visibility of and control over much of the personal data held on them.
- Data can be quickly and easily accessed, deleted or corrected.
- Employee data is kept in one place.
- Documents can be held in the same system – e.g. employee handbook and policies.
- Additional features are often available, e.g. holiday booking, attendance recording, performance management and reporting.
- Cloud-based systems can be easily accessed.
Data management systems such as these are available at a surprisingly low cost. They not only help companies comply with HR GDPR, but they also help with the administrative burden that goes with employing people.
If you would like any more information or help on working with HR GDPR, please get in touch with Kay Mellor, Head of HR firstname.lastname@example.org
(Image Source: Shutterstock)