In May 2018, the EU will introduce a new set of data rules known as the General Data Protection Regulation (GDPR). The new rules will apply to any business that handles the data of EU nationals (including their staff) and breaching any of the regulations can see sanctions reaching up to €20 million or 4% of global turnover (whichever is greater), so it’s clear that your business will need to comply sooner rather than later.
GDPR will have serious implications for HR and staff management as companies will need to have more flexible systems for their data. Let’s take a look at six key ways that GDPR will affect your HR department and understand the changes that you will need to make in order to become compliant.
1. Consent is Required
While consent has been required in order to hold staff data for many years, GDPR rules will introduce the need for “specific, informed and unambiguous” consent, so it is likely that any consent that you currently gain from staff to hold their data will have to be reworded so that there is no opportunity for uncertainty in what data is being collected.
Additionally, your staff need to be provided with the opportunity to withdraw their consent at any time. Therefore your system will need to be easily editable. It is thought unlikely that standard consent causes commonly seen in employee contracts will be acceptable under the new rules, so it is probable that your business will need to have new contracts created for everyone.
2. Data Cannot Be Saved Indefinitely
The GDPR rules state that organizations will only be allowed to hold onto data for as long as is necessary for them. A good example of this is the data of temporary employees – you may need to hold these details for only very short periods, after which you no longer be allowed to keep the data. That is unless you had gained the consent, as mentioned earlier.
It may be necessary for your business to switch over to a new HR management system. For example, if the current system does not give you the option to re-call and permanently delete data that is no longer relevant or needed, you might need to change over to a GDPR-compliant system like the staff rota software from Planday, which has been specifically designed to hold and control all of your staff data from one place.
3. Data Can Only Be Used for the Intended Purpose
It should also be noted that HR departments will be limited by GDPR in what they can use employee personal data for. Specifically, it will be the case that employees will have to be informed what the data will be used for and the company will not be allowed to use it for any other purpose. There has been speculation that this may inconvenience businesses that use a large pool of freelance staff, as the rules may prevent the storage of personal details without permission.
It might also be necessary for businesses to get in contact with a large number of people who they have worked with in the past in order to gain consent to use their data in future.
4. Data Breaches Must Be Notified
Undoubtedly, one of the major reasons GDPR has been implemented is to deal with huge increase in hacking and cyber-attacks. There has been growing concern among lawmakers that companies are not doing enough to protect themselves and the data that they hold from criminal hackers. In particular, GDPR has made it a part of the law that businesses must notify anyone affected by data breaches within 72 hours of becoming aware of the breach.
This applies to staff data as well, so employers need to tell employees if their personal data has been stolen "without undue delay".
5. Criminal Record Checks
GDPR does not have any problem with the carrying out of standard or enhanced Disclosure and Barring Service (DBS), the new rules may no longer permit the conducting of routine basic DBS checks on all employees. Even gaining consent to do so is unlikely to be lawful under the regulations.
6. Data Should Be Encrypted
All data collected by the HR department will need to have security measures placed on it to be compliant with the GDPR rules. Any kind of sensitive personal data needs to be handled carefully, and one of the most effective ways to keep it protected is to encrypt the data. But don’t limit encryption simply to the HR data that you store. To stay completely compliant with the regulations it’s important to encrypt data transmissions as well as emails, to ensure these are protected from any potential cyber-attacks.
Another way to add a layer of protection is by using strong authentication and access control. By limiting the number of people who have access to specific data (giving access only to people who need it), you can mitigate the risk associated with losing the data or having it hacked.
It’s a smart idea to conduct a full review and audit of all of your current HR data storage processes to ensure that your business is completely compliant before GDPR comes into force on 25th May 2018.
About the Author
Mike James is an independent writer, tech specialist and cybersecurity expert based in Brighton, UK. Published in many of the leading online and print magazines, he is a featured writer on Ethical Hacking, Penetration Testing - and how best these technologies can be implemented to businesses of all shapes and sizes. Mike also writes about the odd recipe and exercise regime, when not on the heavy geeky stuff!
Note: This blog article was written by a guest contributor for the purpose of offering a wider variety of content for our readers. The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of GlobalSign.