What Europe's tough new data protection rules will mean for the world of HR

The GDPR regulations will come into force with immediate effect next year.

By John Ghent CEO, Sytorus

PERSONAL DATA IS everywhere today, which makes it easy to forget just how far we have come in technological developments over the past few years leading to this proliferation of information.

For example, in 1956, a 5MB hard drive had to be forklifted onto a plane for transportation. Now, 5GB USB sticks are readily available and fit conveniently into your pocket, and you can even store data in the cloud.

The history of privacy legislation is inextricably linked with this ever-expanding world of innovation, and the latest legislation coming into force in May next year is the toughest data privacy law in European business history.

Data is the new oil

Data is a hugely valuable asset for any data-driven business, enabling the day-to-day functioning of a company but also offering opportunities to improve customer or employee experience and drive business growth.

However, if not managed correctly, this data could also become a huge liability when the General Data Protection Regulation (GDPR) comes into force in May.

It should be remembered that, unlike previous deployments of data protection legislation, there will be no ‘grace period’.

From the start date, if your business is not compliant your company is at risk of reputational damage and potentially huge fines of up to €20 million or 4% of annual turnover.

Accountability

If you are a data controller – the person or body determining the purposes and means of processing personal data - you are ultimately accountable for the way that your company handles this information.

While accountability has been a requirement of data protection law for some time, the GDPR elevates its significance and, for the first time, data processors – those who process personal data on behalf of a data controller – will also find themselves accountable.

Both data controllers and data processors must be able to actively demonstrate compliance with the GDPR in terms of the organisational and procedural solutions in place to protect personal data.

With so many additional policies and procedures required, and the risks being so high, if you’re responsible for managing and processing personal data, tackling compliance might seem like a daunting task.

While there is no need to panic, now is certainly not the time to bury your head in the sand and assume it doesn’t impact you.

Data in HR

When it comes to human resources, we should approach the GDPR from a life-cycle perspective. This means following the data from recruitment through to mover or leaver policy and everything in between.

There will be a variety of both manual and electronic data in every HR department and consideration should be given to how it is processed.

Experienced data protection officers are thin on the ground, with the latest estimates indicating that there could be a deficit of up to 70,000 in the roles across Europe – which represents both an opportunity and a challenge.

Where should you begin?

Where appropriate, your organisation needs to appoint a data protection officer or a dedicated go-to resource to manage your company’s obligations under the GDPR.

You must also implement technical systems, procedural and organisational measures that ensure and demonstrate that you comply.

This may include reviews of internal HR policies and internal data protection policies, as well as audits of data processing activities.

You need to maintain relevant documentation on processing activities and utilise best-practice tools, such as privacy impact assessments and mandatory logs.

Robust measures which support the principles of ‘privacy by design’ and ‘privacy by default’ should be put into effect. These could include:

  • Transparency with the data subject (current employees or potential candidates) over how their personal data will be used, for what, why and who has access to it;
  • Only use data for its intended purpose, so unless unsuccessful candidates for a particular role have given explicit consent for their details to be retained for consideration for future opportunities, their details must be deleted;
  • Limit storage of data, for example the data of candidates who are not employed should be deleted shortly after completion of the recruitment process, as should data relating to previous employees;
  • Avoid excessive data processing – data should only be requested from candidates if it is absolutely necessary for the recruitment process;
  • Ensure the accuracy and currency of data – there is an obligation to keep personal information up to date, for example job titles;
  • Ensure the security of any data stored through the continual improvement of technological systems and organisational structures.

Seize the opportunities

These measures might seem like a lot of work, but they will minimise the risk of data breaches, help to protect the personal data of staff, ensure your organisation’s compliance and allow you to demonstrate this should the regulator come knocking.

And, whilst it’s true that the GDPR presents organisations with challenges, it can also bring great opportunities for companies which use it to build and strengthen trusting relationships with current and future employees and customers.

John Ghent is the CEO of Sytorus and PrivacyEngine. He is speaking at DisruptHR in Dublin on Thursday.

If you want to share your opinion, advice or story, email opinion@fora.ie.