It’s been one year since the introduction of GDPR, so are HR departments doing enough to comply?

A year after the introduction of the General Data Protection Regulation (GDPR) in the European Union on May 25, 2018, the protection and privacy controls of personal data remain hot and contentious issues.

The European Data Protection Board, which coordinates the EU’s data protection authorities, recently reported that regulators brought more than 200,000 cases in 31 countries and issued nearly 56 million euros in fines in the first nine months the GDPR was in effect.

Those fines included the 50 million euros against Google LLC, in accordance with GDPR for the lack of transparency, inadequate information and lack of valid consent regarding ads personalisation.

While some organisations may feel they have done enough to meet GDPR requirements, many are still finding it difficult to interpret the rules and meet GDPR policies on keeping data safe.

One of the major challenges faced by organisations is mass data fragmentation, where copies of the same data are spread across any number of locations on-premises and in the cloud. With enough copies that companies have no idea what data they are holding and what personal information is stored in those copies.

In fact, in a recent Cohesity Research global survey, respondents said they were very concerned about the level of visibility that the IT team has into secondary data across all sites. The survey of more than 900 senior IT decision makers revealed that 87 percent believe their organisation’s secondary data is fragmented across silos and is, or will become, nearly impossible to manage long-term, which could have devastating consequences.

  • Data is massively siloed: From backups, file shares, object stores, test and development, and analytics.
  • Data copies are multiplying: There are copies of the same data everywhere because point products don’t allow data sharing or reuse.
  • Data is spread across multiple locations: Data sprawl is happening on-premises and in the cloud, adding even more management complexity.

Among organisations that store data in public cloud, 74 percent report making an alternate or redundant copy of that data, storing it in either the same public cloud or another public cloud, adding even more data copies to oversee.

With the GDPR still very much in its infancy, many organisations are still getting to grips with exactly how to meet the requirements one year after it was introduced.

The fundamentals remain true though on how to comply with the basics: know what personal data you have, know why you have it, limit access, keep it safe, only keep it as long as you need it, and be transparent about what you’re going to do with it.

With the introduction of GDPR employees now have far more control over how their data is used. They have the right to access, obtain, rectify and request the deletion of their personal data. They will also have the right to be informed of how their data is used and to withdraw consent to it being processed (if consent was required and used as legal ground for data processing).

The difficulty lies in being able to comprehensively track and trace the data you keep.

Under the GDPR rules an employer that collects personal data about an applicant during a recruitment process for example, must provide the applicant with an information notice, also known as a privacy notice or fair processing notice. This is an oral or written statement that individuals are given when information is collected about them.

This notice must set out certain required information, including the purposes for which the data will be processed, the legal bases for processing and the period for which the data will be retained.

Employers should put in place policies setting out for how long recruitment data will be retained.

If the employer intends to keep the details of unsuccessful candidates on file for future recruitment rounds, it must notify them of this in the information notice. It should either obtain the candidates’ consent or notify them of their right to object (if it relies on its legitimate interests as the legal basis for processing).

Recruitment policies should now cover how the employer will deal with unsolicited personal data, for example CVs submitted on a speculative basis. The policy could state that if the employer receives an unsolicited CV at a time when it is not recruiting, it will delete the CV and inform the candidate of this. If the employer holds unsolicited CVs on file for future recruitment rounds, it must inform the candidates of this in a privacy notice, along with the other required information.

Companies need now to articulate what the new rights are for their existing employees and new starters, which may mean you’ll need to review and update privacy policies to adequately communicate these rights.

HR may need to review and update their current processes to comply with GDPR, for example, HR should collect only the data necessary for the task at hand as per the data minimisation principle. This means that companies must limit personal data collection, storage, and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.

If an employer uses third-party recruiters, for example a consultant broker, where they process a consultant’s data on behalf of a client, the broker will be a “processor” and will itself have obligations under the GDPR. The client must ensure that its relationship with the broker meets the requirements of the GDPR, for example it must be satisfied that the processor will implement safety measures to ensure the protection of the privacy rights of the data subjects.

Think about for example how many times you forward to your team PDFs of CVs of applicants for the latest roles – and are you sure that those PDFs have been removed from circulation? Imagine if you had a way of reading through an applicant’s profile without the worries of compliance with GDPR.

And that is where Brainping can help.

After you have registered and opened a company account, Brainping stores and presents the profiles, managing the data and making it easy for you to search and assess different consultants. The result is no record-keeping for consultant profiles and less administrative burden for HR to track and delete documentation when it is no longer needed.

With GDPR your HR team will need to review its current retention policies along with the process for managing document expiration dates and make sure the documentation that you hold, you should have legal grounds for requiring and storing that data. For example, an employer is obligated to pay employees, so requesting data to process payment is considered a valid legal ground.

While GDPR compliance may be a challenge, it’s also an opportunity for HR to improve security and transparency, which has the benefit of enhancing an employer’s brand.

A constructive approach to GDPR compliance is to map a data journey that enables you to implement a consistent and reliable framework to address privacy controls across the entire information lifecycle, from the point that data is first received until it eventually needs to be deleted.

Let us know if you have any questions about Brainping, and how we can help and advise you to make the most of your consulting experience if you are interested to join us or if you are a client who wants to know more about using our services.

There’s a whole world of opportunity for consultants to work together remotely and Brainping is a valuable network for you to access if you are interested in joining the ranks of independent IT consultants or have a small firm of consultants yourself.

Why not send us an email, and say hello!

Image source: