GDPR is important for every department in an organization to understand. In this blog, we’ll look at the unique responsibilities of GDPR for HR Professionals.
As you (should) well know by now, the General Data Protection Regulation (GDPR) went into effect today! Many companies have been scrambling to prepare: updating user agreements, changing their data governing processes and training relevant employees in compliance requirements and best-practices. We’ve been hearing feedback from a lot of companies that they are scrambling to prepare, especially on the training side, and are behind in getting the entirety of their employee-base on board. That’s why I’ve started this series, to help departments that are not being prioritized for GDPR training understand their responsibilities and help guide their compliance practices.
In this blog, I’ll be focusing on the Human Resources (HR) Department. HR professionals are constantly collecting and processing the personal information of EU citizen employees and potential employees. Handling personal data of this type falls under the jurisdiction of GDPR. Here, I’ll cover what kind of data constitutes as personal data for HR pros, how the rules of consent have changed, how employee rights have changed and how to be secure and compliant.
Personal data under GDPR
Article 4 of the General Data Protection Regulation states:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
For HR personnel, personal data largely refers to employee data. This could be names, photos, bank details, email addresses, medical records, biometric data, etc. Under GDPR, any collecting, processing or storing of personal data must have a legal basis for processing.
Lawful bases for processing
It’s important to understand that when it comes to HR data that this data is being shared between employee and employer. Under GDPR, this constitutes an imbalance of power. Under this imbalance, Under Article 6 of GDPR, there are six lawful bases for collecting, processing and storing personal data. These six bases are: consent, contract, legal obligation, vital interests, public task and legitimate interest. To dive deeper into lawful bases as well as have the entire GDPR broken down for you, check out https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/. They also provide a great table to help one understand which rights for individuals apply where under GDPR.
Is all personal data treated the same?
Short answer: no. GDPR is clear that if there is an imbalance of power between parties, consent will not be valid, and in most cases should be pursued as a last resort. As an HR professional, you’re likely to come across a lot of data that fall under special categories of personal data under GDPR. Article 9 of GDPR goes over the processing of special categories of personal data. This article states that:
“Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”
The article then goes on to explain the conditions where collecting, processing and storing such data is allowed under GDPR. Also, Union or Member State laws may enforce this prohibition, in which case the data subject cannot lift this prohibition by means of consent or any of the following reasons.
As an employer, to collect, process and/or store the types of data outlined above, you must do at least one of the following. Below are just four lawful bases for processing. Read Article 9 in its entirety here. As an employer, to collect, process and/or store the types of data outlined above, you must do at least one of the following. Remember that any of the following also needs to be authorized by the Union or Member State’s laws and regulations.
- The data subject gives explicit consent for at least one specified purpose.
- To carry out obligations and exercising specific rights of the controller or data subject in the field of employment, social security and social protection law, providing for appropriate safeguards for the rights and interests of the data subject.
- Processing is necessary to the vital interests of the data subject or another natural person where the data subject is physically or legally incapable of giving consent. (Note: if you can protect a person’s vital interests in another less intrusive way, this basis will not apply.)
- “Processing relates to personal data which are manifestly made public by the data subject.”
How HR personnel can be GDPR compliant
There are many things you can do to stay compliant under GDPR, but as an HR professional, here are four important steps to follow:
By reading this blog, you’re already doing this for yourself! This is great, it’s important for you to increase your personal awareness. However, as an HR professional, chances are you have something to do with training across the organization. Make sure that all the GDPR training doesn’t just go to IT, security and legal departments. Departments like your own, marketing, sales and more also handle personal data, and need to know their role in GDPR compliance. Evangelize GDPR training throughout the organization.
Ensure a Lawful Basis for Processing
You must have explicit and lawful reasons for processing any EU resident employee data (make that all employee data). Also, document it! Documentation is critical in order to prove you are compliant with GDPR, or just identify any areas of concern in your data handling procedures.
Involve the Data Protection Officer
Anytime you are doing a project involving personal data, such as an analytics project, include the Data Protection Officer (DPO) or other data governance authority in your organization to ensure your project remains compliant to GDPR requirements.
GDPR has a strong focus on security and protocols to adhere to in the case of a security event. HR personnel need to follow organizational policy regarding security and educate themselves on how to detect harmful links, emails, attachments and how to respond to a breach. GDPR also outlines expectations around the security of personal data with requirements to reach out to supervisory authorities within 72 hours of a breach. I also recommend recording EVERYTHING when it comes to security events. This not only helps you prove the steps you took to mitigate the issue as well as who you alerted in the organization about the incident. To learn more about security requirements under GDPR, see Article 32, Article 40 and Article 42.
This concludes this post on HR professionals’ responsibilities under GDPR. Next blog, I’ll go over the specific requirements for marketing professionals. If you are looking for a GDPR awareness training solution for your organization, check out our GDPR Awareness course. This course is built specifically for non-IT employees and covers what GDPR is, what employees’ responsibilities of compliance are and best-practices for GDPR compliance.
CyberTraining 365 is an online academy that offers nearly 1,000 hours of relevant and cutting-edge cybersecurity and GDPR training. Our training provides the most in-demand industry certification prep courses including EC-Council, CompTIA, (ISC)2 and Cisco; all taught by leading cyber security experts. All of our offerings are aligned with the national initiative for cybersecurity education (NICE) and ensure the most up-to-date information for this constantly shifting field. With engaging content in a scenario-based format, CyberTraining 365 uses bite-sized micro-learning methodology ensures learners are not overwhelmed with information. On Demand, LMS platform has white-label capabilities ideal for internal training purposes.