Please find below 16 basic steps your HR department should follow if your company wants to ensure GDPR compliance.
1.The Company should understand the confidential nature of the personal information of its employees and is committed to being transparent about collecting and using employee data and to meeting its data protection obligations.
2.Whenever we mention employees, it also includes trainees, ex-employees and candidates.
3.To comply with regulatory requirements, organisations must ensure sufficient information is provided to all employees to make them aware of their rights and obligations under data protection regulations.
4.Non-compliance with data protection laws and the protection of employee’s personal data may result in disciplinary action or termination of employment.
6.When processing personal data of employees, companies should comply with data protection laws and regulations to ensure that the personal information held is:
7.The type and amount of personal data collected by Companies depends on the nature of employee’s position and role, and shall be limited to the minimum necessary to accomplish reasonable business purposes. Common examples of personal data collected from employees are:
8.There are certain types of personal data, called sensitive personal data, which require a higher level of protection, such as information about a person’s health, religious or philosophical beliefs. Information about criminal convictions also warrants this higher level of protection. Companies should be aware of its obligation to provide proper and sufficient protection to all employee personal information, taking into account a higher level of protection in relation to sensitive data.
9.Companies need to have further justification for collecting, storing and using sensitive personal data. Companies should have in place appropriate policies and safeguards, which are required by law to maintain when processing such data. Most commonly, special categories of personal information are processed in the human resource context in the following circumstances:
10.In all cases, before processing sensitive personal data in the context of human resources or not, you must seek advice from your DPO.
11.It’s usual that companies hire third-party service providers (including contractors and designated agents) to manage certain HR, accounting and financial functions. When employing third-party service providers, they are required to take appropriate security measures to protect your personal information in line with the data controller’s policies and they should not be allowed to use your personal data for their own purposes. Companies should only permit third-party service providers to process employees and customers’ personal data for specified purposes and in accordance with strict.
12.Before installing HR software, a Data Protection Impact Assessment should be performed.
13.Before engaging third-party service providers, make sure a data processing agreement is in place that you prioritise companies based in the EU and that you asses if the service provider has appropriate technical and organisational security standards.
14.All employees are accountable for safeguarding the personal data of customers and other employees.
15.If you work dealing with employee data your responsibility is increased and you should employ the following good practices:
16.Companies should implement policies and procedures covering remote working (Remote working policy) or whenever employees are allowed access company’s, customer’s and employee’s data through their personal devices (Bring Your Own Device Policy).
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.