The General Data Protection Regulation (GDPR) came into effect on 25th May 2018. It was introduced to raise the bar on data privacy and ensure that personal information – data that can be identified with a natural person – is secured and managed in a way that is much more accountable and robust than in the past.
GDPR has put a huge additional burden on HR teams, with HR respondents to a 2019 survey on the impact of GDPR reporting that the legislation has:
- Significantly increased the burden on HR (76%)
- Resulted in a larger number of subject access requests (SARS) (76%)
- And that HR are concerned that data protection will get even harder if we exit the EU (64%)
Modern, GDPR-compliant HR software systems can significantly reduce the impact of GDPR on human resources teams, freeing up their time, enabling easier compliance and better equipping them to respond as data protection legislation continues to evolve. Here’s how modern, secure and GDPR-compliant HR software can help ensure organisations assure their own GDPR compliance.
Keep HR data secure
The GDPR requires ‘personal data’ to be processed in a manner that ensures its security. Personal data is defined as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’, and covers paper files, spreadsheets and digital documents. The onus is on you as the data controller to demonstrate, for example, that you know where the information is held, why you collect it, how it is used and who has access to it, as well as have effective systems in place to secure it and report any data breaches.
Another consideration is the location of your data. The Information Commissioner’s office says that while the UK Government has already made it clear that they will allow UK data to flow to EEA, in the event of a hard Brexit, the converse is not true and recommends that British businesses review how they handle personal data.
With Cezanne HR, you can store all your HR information in a single, secure online HR system. You’ll benefit from advanced security at every level, from data encryption and role-based access to your HR system, to hosting in Ireland with AWS, the world-leader in robust, secure Cloud-hosting. Learn more about security.
The need to secure paper-based files goes away too. Scanned or digital documents can be uploaded into your Cezanne HR system, and protected by the system’s advanced security. Costs won’t be excessive either. Data storage, including uploaded documents, is included in Cezanne HR’s monthly subscription fees.
Improve data accuracy
Under GDPR you are required to ensure that personal data is accurate and complete and to put it right when it is not. This could be almost unmanageable if employees can’t see what data you hold about them in the first place. The GDPR includes a best practice recommendation that, where possible, organisations should be able to provide remote access to a secure self-service system which would provide the individual with direct access to his or her information.
Cezanne HR combines easy-to-manage employee self-service with roles-based security and approval workflows, so you can allow employees to check and update their own information while staying in control. You can configure Cezanne HR to fit your own processes. For example, to decide what information employees can be allowed to edit, whether changes should be approved and by whom, and where local variations make sense. It’s an effective – and secure – way of helping you with compliance, while simultaneously delivering a service that makes life easier for employees and their managers.
Manage data subject requests
Employees (and job candidates) have the right to request a copy of the data you hold about them. GDPR requires that you respond to data subject requests comprehensively and quickly and without charging (at least the first time). Our survey showed that 76% of respondents cited an increase in these requests since the legislation came in a year ago.
By storing your HR data and documents in one place (your Cezanne HR system), you’ll always know what information you hold about each of your employees. Straightforward reporting and export to Excel for HR administrators means you are better positioned to respond to data subject requests, as well as another requirement of GDPR: the data subject’s right to take their data with them in a manageable, digital format.
Track employee consent
In an employment context, consent is not the most appropriate option for processing most employee data. Read why here. However, there may be occasions when you will need to obtain consent. For example, when collecting and storing information about employees that is not obviously needed to run your organisation, like tracking movements through remote control technologies such as CCTV and GPS, or passing employee information on to a third party for marketing purposes.
With Cezanne HR, you can easily generate personalised communications with e-signatures and track when (and whether) employees have consented. Other important GDPR-related communications, such as updates to your company privacy statements, employment contracts, or data protection policies can be managed and tracked in the same way. As everything is stored centrally, it’s easier for you to see when documents are missing or when you may need to refresh consent, and employees can check back at anytime to see what they agreed to.
Simplify data deletion
Once you no longer need personal data for the purpose for which it was collected, data protection legislation says it should be deleted unless you have other grounds for retaining it. These could be for legislative reasons, or if discarding the data too soon would disadvantage your business. To make matters more complicated, the GDPR expressly authorises individual member states to implement more specific rules in respect of the processing of HR-related personal data. That mean it is important to follow national law developments, in addition to more generic GDPR requirements, and adjust your policies to match.
An important first step is to understand what employee data you hold and why. For example, is it necessary for compliance with a legal obligation, or for the establishment, exercise or defence of legal claims? This will help to inform the basis and timeframe for retaining or deleting data and provide a template against which you can review and delete the employee information you hold.
Cezanne HR includes functionality that allows HR teams to set up policies that automate this process, so you’re less likely to retain data that could breach the regulation. For example, a policy could be defined that deletes some information at the time an employee leaves, and then deletes or anonymises other data, such as information relating to pay, working hours, performance or disciplinaries, when the relevant period relating to statutory requirements has elapsed.
Whatever your approach, it is important that both a regular review process and methodical cleansing of HR databases (and paper-based records) is in place.
Build a culture of privacy
Data-compliance is a company-wide issues, so ensuring that your employees receive appropriate training is part of the solution. With Cezanne HR, you can easily review employee roles and responsibilities, allocate them to appropriate training activities, and set up notifications to trigger a reminder when training or certification is up for renewal or should be refreshed.
And, with the integrated onboarding and performance modules, you can embed data security best-practice and discussions around GDPR compliance into new joiner processes and employee appraisals, so you can ensure it becomes part of your organisation’s DNA.
Keep employees informed
The GDPR regulations require you provide much more information to employees about how (and why) you use, manage and secure their data, and the rights they have over that data. Some of this is better managed through one-to-one communications, especially when tracking or consent is required. However, there is also an argument for embedding your privacy statements in your HR system, or creating an information hub that’s always on and always available.
Cezanne HR provides the option to upload privacy statements to the employee home page, generate and track personalised documents for e-signature, and create dedicated workplaces targeted at different groups of employees if required. For example, to address country-specific requirements.
The portal manager, or managers (who can be anyone you nominate) will be able to upload relevant documentation, include links to relevant third-party sites, post updates with notifications if required, and provide a question and answers forum for employees. It’s an easy way to ensure GDPR visibility and keep compliance issues top of the agenda.
GDPR is complex, and data protection legislation is evolving, so when putting together your own policies you must ensure you are aware of the latest situation and requirements. You may find these sites useful.
Information Commissioner’s Office:
A comprehensive resource covering all aspects of data protection and GDPR in the UK
Bird & Bird
GDPR Tracker: aims to shows how and where GDPR has been supplemented locally
A usefully indexed version of the General Data Protection Regulation.