GDPR assurance in HR processes
HR is so much more than just people operations and processes – there are so many other dimensions. An extremely important aspect of managing HR data is information protection, privacy, and compliance with the GDPR (General Data Protection Regulation). Human Resources and payroll teams are burdened with keeping our personal data and information protected and thus need GDPR assurance within their HR processes and systems.
Data protection issues have an impact on most HR activities and processes, from handling recruitment and joiners, to employee record-keeping, performance monitoring, personal information about next of kin and bank details for payroll. In fact, data is required for every step of the employee life cycle from hire to retire. Employees want to feel that their data is protected just as much as HR teams need GDPR assurance in their processes.
Its crucial that employers understand their responsibilities and liabilities under the data protection law and don’t leave themselves exposed as recently happened with retailer H&M who were fined for breaking GDPR regulations.
Businesses have a duty of care, but also a legal obligation to manage employee data responsibly and stay current with data protection principles and any legal and regulatory changes. This is why HR and payroll teams want GDPR assurance built-in to their systems, and why its so high on their wish list.
Data protection laws in a digital age
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). This currently governs data protection in the UK which imposes obligations relating to data collection on people in the EU and extends to all data, not just HR. This means organisations need effective, transparent and auditable processes on how they gather, store and use data.
The main focus of this legislation is that “data privacy by design and default” is baked into processes and systems for Data Controllers (companies) that handle subject (employee) data, and that a culture of compliance is fostered and maintained.
It’s also very important to understand the distinction between “data controller” and “data processor”.
The ‘data controller’ determines the purposes for which and the means by which personal data is processed. The data processor processes personal data only on behalf of the controller, and is usually a supplier external to the company. Both data controller and processor have obligations to ensure that the data processed is:
- Processed lawfully, fairly and in a transparent manner
- Collected for specified, explicit and legitimate purposes and not processed in a way that is incompatible with this
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Kept in a form which permits the identification of the data subject for no longer than necessary
- Processed in a manner that ensures appropriate security for the data
- The data controller shall be responsible for and able to demonstrate compliance with the principles
Information and data can so easily be stored and transferred across national and global borders, this can be particularly complex for any worldwide business that holds data on UK and EU individuals.
Data protection can be a real headache for HR teams who need to trust their systems, but need to trust their data and ensure rules, protocols and permissions are in place.
GDPR assurances in a time of COVID-19 and working from home
The pandemic has added another layer of complexity and risk factors for HR.
- Sharing health information. COVID-19 has meant the addition of new absence types and health information. Employers need to capture this information, but also need to decide whether to disclose employees’ coronavirus infection to colleagues, public health professionals or authorities. Employers have a right of care for the health and safety of their staff
- Collecting and storing data is important as this affects payroll and allowances as well as HMRC returns
- The GDPR puts much emphasis on the employee’s consent to store data – which needs to be explicitly (unambiguously) & freely given. With remote working, obtaining agreements from employees can be harder, and other solutions (e.g. electronic signatures or consents) need to be implemented.
- Working form home has also exposed potential risks for accessing and using data. As businesses have created new processes and systems to enable staff to work from home, this also adds a data risk that must be mitigated. Employers have had to adapt, whilst ensuring that data cannot be downloaded onto other devices, establishing new protocols and security
The double-edged sword of personal and sensitive data
Human resources and payroll teams need access to the right level of data to onboard new staff, set up payroll, pensions and other benefits, which means access by the right people at the right time and the right level of authority.
Setting up these protocols and permissions based on job description, role, grade or area of responsibility has proved very challenging for many businesses. Some of which still move data around using password-protected Excel files and are not capitalising on the security technology offers. HR technology also provides an audit trial of who, what and when.
Third parties such as payroll providers need access as well as recruitment agencies, but every employer must ensure that the third party is compliant with data protection. The reason why GDPR assurances are such a must for HR and payroll is they need to trust the data but know that only essential data is shared.
They also need:
- The ability to anonymise or pseudonymise the data
- To ensure employees have the “right to be forgotten”
- The ability to archive and purge data safely
- To ensure appropriate levels of data security is in place, particularly with new working environments
Making the complex feel easy
GDPR and data protection is not straightforward, particularly when a business operates across many territories, but data control and processing is highly regulated for the protection of the individual. Its hard to remove the complexity, but processes and compliance can be made to feel easy with the right technology.
If you need GDPR assurances in your HR systems, you are not alone – why not talk to our team of experts at elementsuite firstname.lastname@example.org.