GDPR (General Data Protection Regulation) is the recent EU regulation regulation that protects the data of EU citizens, giving them additional control over their personal and other information. There are numerous new standards and rules under GDPR that HR departments must be aware of, including additional rights for your employees, appointing a data protection officer (DPO) and employing a data protection impact assessment.

Under GDPR, employees gain some additional rights with respect to the protection and privacy of their personal data. For example, employees have an extension to their right of access. With GDPR, employees have the right to know how long their employer will keep their data, whether the data in question will be a factor in automated decision-making, whether the data will be transferred abroad, and what safeguards will be included.

For HR departments, this means that you have additional responsibilities regarding employee data. Furthermore, you will have to tell your employees about their right to lodge complaints and the right to rectification. Individual employees also have the right to data erasure in specific circumstances.

To ensure compliance with the GDPR regarding employee data, you can take the initial step of having all employees sign a simple data privacy statement. This indicates that they understand their rights and consent for the use of their data in the ways you outline in the statement. The important thing to keep in mind is that if you ever decide to use the data in another way or share it with a third party for further analysis or other use, this will require additional permission from employees.

Examples of Real-World Impacts

To better illustrate how GDPR impacts your business, let’s look at a few examples. It is common for companies to use email and web analytics as a way to better understand how employees use communication and to improve user experiences.

Because analysis tools collect things such as email addresses or IPs, the data is identifiable. Since that data can be identified, it counts as employee data. As such, you must have consent from employees before you collect that email or web data from them. You must also make it clear how you will use that data, and you can only use it for the purposes you outline.

HR departments also need to rethink what they consider employee data. Personal information regarding employees includes any files, which encompasses the comments or notes recorded during a performance review.

This means that employees must consent to the reviewer regarding comments and suggestions prior to evaluations. They must also have clear information as to who will be able to access those notes and how they will use it.

Controlling Internal versus External Data Sources and Security

GDPR stipulates the appointment of a data protection officer (DPO) in large public bodies or authorities where their core activities involve large scale processing and monitoring of special categories of personal data. This means that nearly all large organizations will need a DPO.

United States-based companies that interact with those in the EU must be particularly careful about data sources and transmission. If you have any interaction with employees or clients in the EU, the GDPR will apply. The GDPR additionally applies for any companies with a single branch in the EU.

If you transfer any business data that applies to EU citizens and it leaves the EU, then there are even more considerations to keep in mind with the GDPR. An example would be your HR department accessing data of EU citizens who are employees within the U.S.

Most businesses will need to be aware of this type of external data as GDPR rights of EU citizens apply regardless of the country they work in or their visa status in that country. Any U.S.-based organization that deals with the EU or its citizens must ensure compliance of GDPR requirements.

Even HR analytic solutions that such organizations may adopt must have special in-built features to ensure GDPR compliance.

Assessing User Access Levels Across the Organization

In terms of access levels to data, you must ensure that there is transparency. Employees must be fully aware of who may access their data and for what purpose. They should know how long it will be accessible. With GDPR, you need explicit consent from employees to share their data with third parties. Implied consent is no longer sufficient.

The right to data erasure is also relevant. Under the GDPR, they have the right to request that you fully delete their data in certain circumstances. This means that you must have a strategy in place that allows you to fully remove the data, including any seemingly small pieces of them.

Determining a Contingency Plan for Breaches

In terms of security, GDPR includes strict mandates surrounding reports of loss or theft of employee’s personal data. If there is a data breach, you must inform both the supervising authority and the individuals whose data may have been affected.

Data encryption and other security measures should be part of the entire HR analytics system so that the risk of data breaches can be minimized as far as possible. Further, a smart analytics system can help the organization to track data breaches as soon as they occur.

Conclusion

GDPR compliance a necessary requirement for all U.S.-based organization having interactions with the EU or its citizens. In this age of big data, when data protection and privacy are key concerns, being well-prepared to deal with GDPR is always a smart strategy for future expansions into the EU.

You can read the GDPR regulation @ https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

Bonnya Mukherjee
Financial Analyst, Pegasus Knowledge Solutions