The HR Problem With GDPR

Current HR systems don’t really support how companies usually expand internationally. Various HR service providers are needed for international payroll, benefits, foreign entity requirements, relocation, expat taxes, time and attendance management abroad, and more. This combination of remote services requires wrangling a unique mix of supporting service providers for each country.

Layer GDPR on top, and it’s a daunting task to be compliant. It’s difficult to have real oversight into the data security and compliance processes of your internal teams and third party vendors if you’re not connecting everyone through a secure system to control access rights, secure data sharing, and track data flows.

Due to lack of good solutions, even larger companies are managing their international employees, customers, and prospects in spreadsheets and then sharing access broadly by emailing entire files to team members and third party service providers – expecting them to use the information they need and ignore the rest. They may share a file using Dropbox or Google Drive for certain documents, but again, oversight and reporting are limited in these cobbled-together workflows.

GDPR Requirements And Technical Solutions

In Part 1 of this series How Technology Helps HR Manage GDPR, we discussed how Data Privacy by Design, or building data privacy into a company’s technology, can support HR in its GDPR compliance. 

In Part 2, we’ll take a look at some of the GDPR requirements that significantly impact HR teams. These aspects of GDPR will be important to consider before capturing and processing employee and recruiting data. We’ll then review how technology solutions can simplify HR GDPR compliance for each of these requirements.

Ongoing Transparency

Transparency requires that you share what specific employee personal data you, all third party HR services and cloud providers collect, and how you will all use that personally identifiable information, with whom it will be shared, and for how long – prior to processing the data. You must be transparent before you capture and process that data.

Transparency prior to processing data is important for communicating your intent to your recruits and your employees. This information is usually shared via a privacy policy that the data subject, such as an employee or recruit, will be presented with, in order to review.  Employees often will not have the option of opting out of data processing, but they do need to know what data you collect, who has access, and what the purpose for the processing is. We’ll discuss this in more detail below.

Company employee privacy policies need to be continually updated if you change how you process data or the outside data processing vendors you use. You’ll also want to track ‘consent’ or acknowledgement, version by version, so you can report and manage if someone asks you to show where an employee or recruit acknowledged that they received and reviewed data privacy policies. This manual process can get overwhelming as your business grows, so having a software to manage privacy policy versioning and tracking is essential.

Checklist: HR GDPR Ongoing Transparency

  • Transparency opt-in privacy policy for recruits, kept on file for each recruit if using consent as basis for processing data
  • Transparency ‘Acknowledgement’ of receiving privacy policy, kept on file for each employee
  • Continual updating – privacy policy versioning for when policies or outside service providers change
  • Clarity for what data your company and HR services have access to and are allowed to process
  • Ability to easily report on each employee when a Subject Access Request is received
  • Ability to opt out of automated profiling for recruits and receive manual review instead

Technology Solutions: HR GDPR Ongoing Transparency

  • Automated ‘push’ of updated privacy policy to all active employees and/or recruits
  • Capture of push and acceptance or acknowledgement of privacy policy
  • Easy retrieval of acceptance/acknowledgement for proof if questioned, including any and all versions and pertinent dates
  • Quick capture of all data stored and processed for individuals, including how it’s used, by whom, and who has access to it

Consent vs. Legitimate Business Interest For Employees

In the employee-employer relationship, the GDPR makes it clear that there is a distinct power disadvantage for the employee when agreeing to data processing rights requested by an employer. It’s not enough for an employee to opt-in and provide consent for the data processing an employer needs and wants to do. Because of this, the basis for processing data between an employer and an employee will most likely be based upon ‘Legitimate Interest’.


Learn More About Legitimate Interest

Guide To The GDPR Legitimate Interest – IAPP 


Employers will be required to weigh the data privacy rights of their employee with their need for data processing and they will be required to collect and process only the data they need to fulfill their responsibilities to the employee. This weighing should be documented and communicated clearly with employees through the company’s employee privacy policy.

An example of data processing is payroll. In order to pay an international employee, an employer will most likely hire a third party HR payroll service in that country. The company will need to collect, share, and process personally identifiable data with the payroll processor. Managing the privacy policy versioning, weighing of interest, and ongoing documentation is best done through using technology instead of manually.  Having a system that can track versions and employee acknowledgements and be able to report out on it is much easier than a manual process for keeping track.

Checklist: HR GDPR Consent vs. Legitimate Business Interest For Employees

  • Weigh employee rights versus data processing needs under Legitimate Interest
  • Document your thought process for why you’re processing the data
  • Obtain your legal team’s confirmation of Legitimate Interest as a legal basis for all your data processing 
  • Document other safeguards to support your data processing, such as robust security when sharing data within your company and with third party processors, access controls between you and your third party processors, time-based processing, data access revocation and erasure when completed

Technology Solutions: HR GDPR Consent vs. Legitimate Business Interest For Employees

  •  Maintain clear documentation of your policies around legitimate business interest and make it easily available to your employees
  • Build in automated safeguards that support your policies, such as data security, control over who has access to employee data, including revoking that access when it is no longer needed

Consent vs. Legitimate Business Interest For Recruits

When you are gathering resumes for a job you’re posting, you are collecting personally identifiable information. Recruits also need to know how you plan on using their data. GDPR specifically requires that data subjects have the right to opt out of automated profiling and request that a person review their resume. You will need to decide if your basis for processing data for recruits will be Consent or Legitimate Interest.

Checklist: HR GDPR Consent vs. Legitimate Business Interest For Recruits

  • Provide a privacy policy opt-in for ‘Consent’ or a privacy policy to acknowledge if you’re using Legitimate Interest for recruits prior to processing their data
  • Make it easy for recruits to opt out of automated profiling and to be manually profiled without any negative consequences
  • Make it easy for Data Subjects to request information about what data you are collecting, using, storing, and sharing and make it easy for your company to reply to any Subject Access Requests (SARs) – More on SARs below

Technology Solutions: HR GDPR Consent vs. Legitimate Business Interest For Recruits

  •  Maintain clear documentation of your policies around how you use recruits’ data and your legitimate business interest and make it easily available to your recruits
  • Build in automated safeguards that support your policies, such as control over who has access to recruit data, including revoking that access when it is no longer needed
  • Give your recruits an easy way to opt out of automated profiling 
  • Give recruits an easy way to submit a Subject Access Request

Right To Rectification

Employees and recruits have the right to know what data of theirs you have and how those data are being used. They also have the right to request that their (potentially prospective) employer quickly corrects data that are not current or are incorrect. Your responsibility is to make it easy for employees and recruits to know what data you are collecting and storing about them, for them to easily review it, and to provide an easy and quick process for updating that data.

Checklist: HR GDPR Right To Rectification

  • Provide an easy way for employees and recruits to request insights into what data you are collecting about them
  • Provide an easy way for employees and recruits to communicate with you if there are errors in their data
  • Quickly respond back and update data errors or omissions

Technology Solutions: HR GDPR Right To Rectification

  • Provide password-protected portals for employees and recruits to view their personal data
  • Give employees and recruits an easy way to update/correct their data or request that you update/correct it

Right Of Access To Data – Subject Access Requests (SARs)

Similar to the Right To Rectification, employees and recruits have the right to request reports on all of the data you are collecting, how their data are being secured, who has access to their data, and what ‘processing’ is being done by you and all third party services. This official request is called a Subject Access Request (SAR) and you need to have a process for employees and recruits to request this information. You have only 30 days to reply to SAR’s once they have been submitted and cannot charge for preparing these reports – no matter how much effort is required of you to put them together.

Checklist: HR GDPR Subject Access Requests

  • Provide a way for the employee to submit a Subject Access Request for oversight on the data being collected
  • Alert the HR team about a SAR
  • Utilize a system that makes it easy for you to compile data for your response to SARs.
  • Monitor that any SAR has been responded to within 30 days.

Technology Solutions: HR GDPR Subject Access Requests

  • An online, automated process for submitting SARs
  • Automated alerts when SARs are submitted
  • Secure data base that can be searched for all data related to an individual
  • Easily reviewable results in a format that is accessible to the recipient

Right To Minimal Processing

Minimal processing rights apply to the requirements that you are only gathering and storing the data you really need to do your jobs, controlling who has access to the data, and revoking access once the legitimate reason for processing is over. Having a software solution to manage data access rights and data use documentation is critical, as this would be hard to manage and prove without technology support.

Checklist: HR GDPR Right To Minimal Processing

  • Gather and store only the minimum amount of data necessary to do your jobs
  • Control who has access to each data type by role and project
  • Document and be able to report on access controls and data use

Technology Solutions: HR GDPR Right To Minimal Processing

  • Access control systems that allow company administrators to designate and assign roles with access to only the data needed to do individual jobs when processing employee and recruit data
  • Automated systems to show who has access to what data
  • Automated reporting to provide proof of access and controls

Right To Portability

The Right To Portability ensures that employees can take their data to another company.  When using the Legitimate Business Interest basis for data processing, you don’t have to provide an option for porting the data away for a data subject, but if you use Consent, you do need to provide it. This means that most likely you won’t have to provide an easy way for your employee to take all their data to another employer.

Checklist: HR GDPR Right To Portability

  • Determine if you have a responsibility to port data
  • If so, ensure you are able to gather all of the data you have collected to share in an easily readable and easy-to-port format such as a PDF or other simple file

Technology Solutions: HR GDPR Right To Portability

  • An easy means to capture all data related to a data subject
  • Results provided in an easy-to-read format after being pulled from your systems

Right To Erasure

Employees do have the right to request that data not needed any more are erased. HR managers will need to know what data are required for retention by each country and region so they don’t erase information they are required to store.  In the US, for instance, each state has its own laws regarding what employment data must be stored and that variability will also apply to foreign jurisdictions.

Checklist: HR GDPR Right To Erasure

  • Be clear on what data must be stored and for how long by country and region
  • Make it easy for employees to know what data you are storing and a simple process for them to ask that unnecessary data be erased
  • Best practices is to keep only the data absolutely necessary to do your job while being compliant with employment laws

Technology Solutions: HR GDPR Right To Erasure

  • Easy processes for removing data from your databases
  • Ability to demonstrate compliance

Globig’s GDPR Technology Solution

As you can see, there are quite a few GDPR requirements where having a technology solution that automates and makes ongoing GDPR compliance management as a part of HR’s normal business and workflows is the ultimate goal. Globig’s data-privacy-by-design software platform is built to help HR teams be efficient and compliant, automatically.

Want to learn more? Watch our quick video tour to see how Globig’s technology can take the burden of GDPR compliance off HR’s shoulders.

And contact sales@globig.co if you’d like to talk about how Globig can support your company with GDPR and international business expansion.


As a disclaimer, this information is not intended to provide professional legal advice, nor is it our recommendation that you use it as the sole basis for making organizational decisions, especially in relation to the GDPR. Instead, it is our highest level recommendation that you use it for informative purposes and in preparation for working with legal counsel, or other data protection expert before finalizing any decision that will affect the future of your business or organization.

 

 

 

Globig Newsletter

* indicates required