HR and GDPR

By /

Please find below 16 basic steps your HR department should follow if your company wants to ensure GDPR compliance.

1.The Company should understand the confidential nature of the personal information of its employees and is committed to being transparent about collecting and using employee data and to meeting its data protection obligations.

2.Whenever we mention employees, it also includes trainees, ex-employees and candidates.

3.To comply with regulatory requirements, organisations must ensure sufficient information is provided to all employees to make them aware of their rights and obligations under data protection regulations.

4.Non-compliance with data protection laws and the protection of employee’s personal data may result in disciplinary action or termination of employment.

5.Companies should implement an employee data privacy policy and employee data privacy notice. Training and awareness is also mandatory under GDPR.

6.When processing personal data of employees, companies should comply with data protection laws and regulations to ensure that the personal information held is:

    • Used lawfully, fairly and in a transparent way;
    • Collected only for valid purposes clearly explained to the employee and not used in any way that is incompatible with those purposes;
    • Relevant to the purposes it has been collected for;
    • Accurate and kept up to date;
    • Kept only as long as necessary to satisfy the purposes it has been collected for;
    • Kept as secure as possible following the Company’s technical and organizational security standards.

7.The type and amount of personal data collected by Companies depends on the nature of employee’s position and role, and shall be limited to the minimum necessary to accomplish reasonable business purposes. Common examples of personal data collected from employees are:

  • Personal contact details such as name, title, addresses, telephone numbers, and personal email address;
  • Date of birth;
  • Gender;
  • Marital status;
  • Next of kin and emergency contact information;
  • Tax number;
  • Bank account details, payroll records and tax status information;
  • Visa information;
  • Salary and annual leave information;
  • Start date and, if different, the date of your continuous employment;
  • Leave date and your reason for leaving;
  • Location of employment or workplace;
  • Recruitment information (including copies of right to work documentation, references and other information included in a CV or cover letter or as part of the application process);
  • Employment records (including job titles, work history, working hours, holidays, training records and professional memberships);
  • Compensation history;
  • Performance information;
  • Disciplinary and grievance information;
  • CCTV footage and other information obtained through electronic means such as swipe card records;
  • Information about your use of our information and communications systems;
  • Professional insurance;
  • References and correspondence that may produce legal effects (mortgage, loan, etc.);
  • Subject access request;
  • Trust deeds, rules and minute books;
  • Whistle-blowing reports and documents linked to an investigation;
  • Training information;
  • Conflict of interest disclosure;
  • Gifts and hospitality documentation

8.There are certain types of personal data, called sensitive personal data, which require a higher level of protection, such as information about a person’s health, religious or philosophical beliefs. Information about criminal convictions also warrants this higher level of protection. Companies should be aware of its obligation to provide proper and sufficient protection to all employee personal information, taking into account a higher level of protection in relation to sensitive data.

9.Companies need to have further justification for collecting, storing and using sensitive personal data. Companies should have in place appropriate policies and safeguards, which are required by law to maintain when processing such data. Most commonly, special categories of personal information are processed in the human resource context in the following circumstances:

    • under limited circumstances, with the data subject’s explicit written consent;
    • where the company needs to carry out legal obligations or exercise rights in connection with employment;
    • where it is needed in the public interest, such as for equal opportunities monitoring.
    • Less commonly, companies may process this type of information where it is needed in relation to legal claims or where it is needed to protect the interest of data subjects (or someone else’s interests) and data subjects are not capable of giving consent, or where they have already made the information public. It is important to add such possibility in the company’s privacy policy and employee data privacy policy and notice.

10.In all cases, before processing sensitive personal data in the context of human resources or not, you must seek advice from your DPO.

11.It’s usual that companies hire third-party service providers (including contractors and designated agents) to manage certain HR, accounting and financial functions. When employing third-party service providers, they are required to take appropriate security measures to protect your personal information in line with the data controller’s policies and they should not be allowed to use your personal data for their own purposes. Companies should only permit third-party service providers to process employees and customers’ personal data for specified purposes and in accordance with strict.

12.Before installing HR software, a Data Protection Impact Assessment should be performed.

13.Before engaging third-party service providers, make sure a data processing agreement is in place that you prioritise companies based in the EU and that you asses if the service provider has appropriate technical and organisational security standards.

14.All employees are accountable for safeguarding the personal data of customers and other employees.

15.If you work dealing with employee data your responsibility is increased and you should employ the following good practices:

  • Be attentive to the firm’s retention schedule
  • Do not disclose personal data of employees to third people. Personal data should only be accessed on a “need to know” basis and disclosed only when authorised.
  • Prevent data breaches by keeping your workstation organised, with paperwork locked in drawers, and avoid accessing employee information in the presence of unauthorised personnel (even if the person is also an employee).

16.Companies should implement policies and procedures covering remote working (Remote working policy) or whenever employees are allowed access company’s, customer’s and employee’s data through their personal devices (Bring Your Own Device Policy).

 

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top