Designed to strengthen the protection of personal information, the General Data Protection Regulation (GDPR) came into effect in May 2016. As of May 2018, compliance with GDPR is mandatory and all organisations will therefore need to review how they record and process personal information.
Not only does GDPR cover information about employees, the legislation extends to all personal data collected or recorded by an organisation. This includes information relating to those who buy products and services (or interact with companies in some way). GDPR enshrines the principal that this information belongs to the individuals and not to the organisation
Information can take many different forms and can of course be recorded using a range of systems and using different media. All of this is covered in some way by GDPR. For example, a paper form that an individual has completed, a file attachment sent with an e-mail, a record held within a database are all covered by GDPR
The table below lists the principal requirements of GDPR. These are broken down into 4 categories, and each point is then expanded upon in the sections further down the page.
GDPR |
|
|
|
Framework
|
Security
|
Consent
|
Employees
|
Organisations must:
- consider appointing a data-protection officer
- ensure confidentiality and data-protection policies are updated
- ensure that staff with access to personal data receive training
- ensure that suppliers and other agents have GDPR compliance
|
Organisations must:
- review who has access to confidential personal information
- record details of how and when personal data is processed
- ensure they implement security measures to protect personal data
- notify the authorities of any breaches relating to personal information
|
Organisations must:
- either: have a valid lawful basis to process personal data
- or: obtain consent to record and process personal information
It must be made clear:
- how and when any personal information is collected
- what information is used for, and how it is used
- how long information will be kept, and how it will be deleted
|
Employees must be given:
- details of any personal information recorded by the organisation
- the means to review personal information and correct any errors
- a means to object to personal information being processed
- access to an exported copy of their personal information
- the right to have their personal information deleted
|
Framework
Some organisations are required to appoint a data-protection officer
- A data protection officer (DPO) must be appointed if the organisation is a public authority, or if the organisation carries out certain types of data processing activities (when the organisation’s core activities are large-scale data processing or when the organisation processes special categories of data, for example, data related to health, religion, race, or sexual orientation, or processes data relating to criminal offences. The appointment of a DPO has some very real benefits and some organisations will therefore chose to appoint a DPO regardless of their obligations under GDPR.
- The DPO’s role is to monitor GDPR compliance, keep management and staff informed about GDPR issues, and provide advice relating to data protection obligations. The DPO will also provide advice relating to Data Protection Impact Assessments and act as a contact point for the supervisory authority. DPOs are also likely to provide data protection policies, raise the awareness of data-protection, provide training, and audit data protection measures.
Organisations must ensure confidentiality and data-protection policies are updated
- Every organisation will have policies that relate to the collection and processing of confidential information (including personal details). These policies and any related procedures will need to be reviewed to ensure that they make provision for GDPR
- Copies of policies are most often included with employment documentation when an employee joins. Over time these may need to be changed, and up-to-date copies of all policies should be made readily available to employees and other staff. Individuals may be asked to acknowledge that they have read and understood individual policies.
Organisations must ensure that staff with access to personal data receive training
- GDPR requires that staff, particularly more-senior staff (who may have access to personal information) understand how the legislation will affect their role, how they need to record and process information relating to employees and other individuals (and what they should not be doing)
- Training can take many different forms: presentations, formal training courses, information provided by e-mail and via the organisation’s Intranet. Training should enable individuals to identify the different types of personal data, and the different media that are used to store it (for example computer-based, paper-based, scanned images, photographs). Training should cover how and why personal information is collected, what information can (and cannot) be recorded, how this information is used or processed, and the measure that are in place to delete it when it is no longer needed.
- Training should also cover what is required to ensure that personal information remains secure. In particular, staff should understand why copies should not be made or kept without a robust justification for doing so, and how this information should be secured and then deleted when no longer needed. Staff should be made aware of the risks associated with putting copies of files containing personal information onto laptop computers, memory sticks or mobile phones.
- Information should be provided to all employees in different formats (for example in a Fact Sheet) to increase awareness of the impact data-security and GDPR has on the organisation. This should highlight the rules and processes that have been put in place within an organisation to ensure GDPR compliance.
- Where staff have access to confidential personal information it is important that the training they receive is followed up regularly with either additional information or with regular refresher courses.
Organisations must ensure that suppliers and other agents have GDPR compliance
- Where employees’ personal information is shared with, or managed by a third-party organisation, care must be taken to ensure that these organisations have ensured that they comply with GDPR. If payroll information is sent to a payroll supplier for processing, or if a contractor is provided with personal information (to enable them to complete the work they are asked to do) they must comply with GDPR. The organisation must check for example, that these third-party organisations record, manage and secure this information in an appropriate way, and that all copies of this information (paper-based, held in spreadsheets and e-mails, etc.) is deleted when it is no longer needed.
- Examples of third parties that may have access to employee details are: payroll suppliers, consultants (HR, health & safety, training, other), third-party IT suppliers, SaaS (cloud-based) service providers.
How People Inc. can help
|
- People Inc. can be used to identify training needs, schedule training courses and ensure that staff training is completed. The system can record comprehensive training records, and can automatically identify training needs for both new staff and for staff who need to attend refresher training. This training information can be reported on making it easy to demonstrate compliance with this aspect of GDPR.
- People Inc. has an area for storing HR Documents to make it easier to store and maintain the latest versions of policies, procedures, forms and other HR related information. Individual employees can be access this information via the Employee Self Service Module and it is possible to get employees to acknowledge that they have read the latest version of each document as they are updated.
- People Inc. records information within a copy of SQL Server running within the organisation’s offices. People Inc. employees cannot gain access to records stored within the system. Access is only possible from a user’s PC (via a copy of the People Inc. software, using a valid user-name and password). Where assistance with system implementation is requested by a client, and this entails providing access to personal details, this exercise is covered with a non-disclosure agreement.
|
Security
Organisations must review who has access to confidential personal information
- Where personal information is centralised within the HR area, it is possible to decide who has access to different aspects of the data, and it is possible to manage this access. It is however normally necessary for information to be collected at departmental level, and sometimes line-manager access to this information is also necessary. If copies of personal information are taken and the details recorded locally (on line-manager’s computers, or within filing cabinets in departmental offices) it is much more difficult to manage the security of these records. But the organisation is still responsible for controlling who is granted access any copies that are made of personal information.
Organisations must record details of how and when personal data is processed
- For most day-to-day processes (for example managing absence, processing payroll), it is easy to detail how and when personal information will be processed. Organisations need to consider both regular processes and those that are infrequent or ad-hoc, and ensure that they have detailed how the data is recorded and used, who has access to the data during the process and when that data is deleted.
- The responsibilities for the processing of data are assigned to a Data Controller and a Data Processor. These roles may vary depending on the data and the processing in question. For example, if payroll processing is outsourced, the organisation will take on the role of Data Controller, but the payroll bureau will be a Data Processor. Each of these roles have clearly defined responsibilities under GDPR
Organisations must ensure they implement security measures to protect personal data
- The GDPR legislation is designed to give individuals confidence that information about them is held securely. Organisations must put in place robust measures to ensure that unauthorised access to personal information is prevented and that employee records are not misused or tampered with. Organisations must also formally acknowledge that they are responsible for the personal data they hold, and that they are accountable to the individuals concerned if their personal information is misused, or if the measures they have put in place to protect the information are breached in some way.
- Keeping information secure can be an extremely challenging exercise. Paper-based information can be kept locked in filing cabinets within locked rooms, and computer based information can be protected using security measures. Ultimately somebody will be responsible for issuing keys, and somebody else will manage user-accounts and passwords, and at any point in time, a number of people will have the key to a room, or the password for a file or folder on a server.
- Archived records (paper-based or computer-based) are often taken out of the normal filing system and moved to another area to make space. Copies of computer-based information will be taken and save on back-up media and this is normally moved to another location to ensure it provides a viable back-up. The security of these resources is as important as the security of the main HR or personnel records.
- Some obvious measures can be taken with regard to computer-based information. Staff should be encouraged not to take copies of personal information (for example, by extracting information and adding it to a spreadsheet). If this is necessary, this information should always be password protected. If staff with access to confidential personal information use laptop computers, the hard-drives should be encrypted (so that they cannot be accessed if the computer is lost or stolen). Personal information (including images) should never be copied to a memory stick or uploaded to a mobile phone.
Organisations must notify the authorities of any breaches relating to personal information
- Organisations must report certain types of data breach to the authorities. This must be done within 72 hours. If the breach is likely to affect individuals adversely, the organisation must also inform the individuals themselves, without delay.
- Organisations must have in place the means to detect a data breach and make provision to investigate and report on any breach. Full records of any breach of personal data must be kept, regardless of whether these are notified to the authorities.
How People Inc. can help
|
- Some HR systems record data within databases hosted online (on the Internet). Software developers, database administrators and other operational staff are responsible to the security of these systems. People Inc. databases are hosted internally on one of the organisations servers. This provides organisations with full control over who has access to the information. Only authorised staff (staff working for the organisation) can access the information, create and manage user accounts and access profiles, or take database back-ups. As a supplier, People Inc. staff cannot gain access to the system or any of the data managed within the system.
- People Inc. databases are hosted internally on one of the organisations servers. This provides organisations with full control over who has access to the information. Only authorised staff (staff working for the organisation) can access the information, create and manage user accounts and access profiles, or take database back-ups. As a supplier, People Inc. staff cannot gain access to the system or any of the data managed within the system. Where an organisation uses People Inc. to record and manage their personnel data, they are then both Data Controller and Data Processor.
- The People Inc. system enables organisations to control the information that each system user has access to. This is achieved using access profiles. It is possible to have as many access profiles as required, and each user account is associated with one or more of these. Access profiles control user-access at field and data-item level. It is possible to specify which screens are visible to a user, which fields are visible, and a range of data items that are visible (for example, just details for the employees working at a particular location).
- ESS access control works in the same way. The level of access can be controlled in fine-detail. ESS users will only have access to their own details and. If they are a manager, to some details that relate to the members of their team. In addition, it is possible to use single sign-on functionality with the ESS to remove the need for additional user-credentials for ESS users.
|
Consent
Organisations must have a valid lawful basis to process personal data
- Some personal employee information has to be recorded by an organisation when individuals are employed. It is normally straight-forward to provide justification for doing this. If there is a lawful basis for collecting and processing employee information, under GDPR there is then no requirement to gain consent from employees.
- There may well be no justification for retaining some of the records that are currently kept. Organisations will need to review the employee-related information they collect and record and may need to delete records for which there is no reasonable justification.
Organisations must obtain consent to record and process personal information
- Organisations may still look to gain consent to collect, record and process personal information from employees when they first join the organisation. To make this a prominent activity, the request for consent should be made in a separate from (rather than as part of the employment contract or the terms and conditions of employment). The form should make clear that the employee is giving consent to provide their personal information, and to it being used for the agreed purposes. It should also indicate home long that information will be retained for.
- Note that some record are given elevated status by GDPR, for example health-related records. Explicit consent is always required for the processing of health-related information.
It must be made clear how and when any personal information is collected
- It is often possible to find that personal information freely available on the internet. This may come from social media sites such as Facebook and Twitter, from other websites or blogs, or from the individual’s Linkedin profile. If any of this information is recorded or used during the selection or recruitment process, the organisation must ensure that it is either deleted or that consent is gained to enable them to retain it.
- Personal information is collected from the employee when they join the organisation. This might be recorded on the application form they complete, or it may be included in the CV they submitted. Further forms will be used to collect information during their induction. This may include contact details, details of next of kin, information about disabilities and medical information.
- Further information will be collected during their employment. This will include the details provided when employees request leave, when they discuss other personal needs, when they complete forms that relate to their financial situation (and their financial plans), when (if) they make a complaint or grievance. When legislation and employment terms change further personal information is likely to be collected.
It must be made clear what the information will be used for, and how it is used
- Most employees will not have a detailed understanding of the GDPR legislation, and it is the responsibility of the organisation to inform employees of their rights. As part of this process they will need to explain why they need to collect and record this information, and what they plan to do with it.
- Different types of information are recorded for different reasons, and used by the organisation to enable them to undertake or complete different activities. Where personal information is collected from employees, the individuals should understand why that information is needed, what it will be used for, and how it will be used.
It must be made clear how long information will be kept, and how it will be deleted
- Once there is no longer sufficient justification for retaining personal information, the organisation must ensure that the details are deleted or destroyed. Clearly this is far more difficult to achieve if the records are paper-based, or if they are combined in a spreadsheet (or other similar documents) with information relating to groups of employees or with more recent record (that should be retained). It is also far more difficult to achieve this is the records are fragmented (residing on different systems or within documents created and managed by individual managers).
How People Inc. can help
|
- Where an organisation prefers to use paper-based forms, it is possible to record the fact a form has been completed within the employee’s record within People Inc. It is also possible to attach a scanned copy of the forms themselves. Contracts, and contract addendums (including those relating to GDPR) can be generated from standard document templates held within the system; these are automatically merged with employee details when they are generated.
- It is possible to manage the sign-off on employment policies (and other documents) using the People Inc. A tracking screen can be used to monitor who has not yet signed and returned each employment document.
- It is possible to record and manage consent using an ESS form configured within People Inc. It is easy then to go back to employees to confirm that they still grant their consent, and it is also easy to retain a full history associated with this process. An additional benefit of this approach is that the information would then be available to the employee themselves via the ESS.
- Removing information relating to leavers and unsuccessful applicants is made easy if the records are recorded within People Inc. For example, a utility enables users to remove the details relating to all staff who left before a specified date (a number of years in the past).
|
Employees
Employees must be given details of any personal information recorded by the organisation
- Information can be recorded in a wide variety of ways, and using a variety of different media. The GDPR regulation covers all of these. A review of the various IT systems used, the processes and procedures, and any paper-based records will enable organisations to provide details of the personal information recorded on each employee. Unless records are then consolidated into a few central systems, this audit may need to be repeated regularly to ensure that full details of personal records are available to individuals.
- Where records and processes are managed within a centralised HR system it is far easier to establish the scope of the personal information that is retained by the organisation. Where line-managers have implemented their own systems to manage information locally (for example using MS Excel, their Outlook calendar, and archive of e-mail messages, or a paper-based filing system) this fragmentation makes it very difficult to control or audit personal information.
Employees must be given the means to review personal information and correct any errors
- It is not uncommon to find that information relating to an employee is either out of date or incomplete. Some of this is likely to change from time to time, for example, home address, mobile phone number, next of kin details, or bank account information. There may also be industry-specific information that should be kept up-to-date, for compliance, commercial or insurance reasons (for example, training records, qualifications, professional membership details).
- When information needs to be updated, it is important provide an easy way for employees to submit details of changes, important to ensure that all the necessary information is provided, and it is also important to ensure that the correct staff are informed. For example, if an employee changes their bank account, this information must include an ‘effective date’ and details of the changes must be passed to those responsible for payroll processing.
Employees must be given a means to object to personal information being processed
- This can be achieved using a simple form providing there is a robust process in place to record details of the request, to review the request, and take the appropriate action. The employees need to know who they contact and what the process is should they wish to object to having specific personal information recorded within the organisation’s records.
- It may well be that the employees objection cannot be acted upon because the organisation needs to hold records relating to employees for compliance or operational reasons. In this case there should be a way to provide the appropriate feedback to the employee. The organisation should keep full records of the request and what actions were taken.
Employees must be given access to an exported copy of their personal information
- The primary reason for including this in the legislation is to make it easy for individuals to switch service provides (for example when they move a bank account, change insurance provider, or switch energy supplier). The legislation does not however specify that employees asking for copies of their personal data is excluded.
- When HR information is kept as files on servers, within e-mail software, in filing cabinets, within spreadsheets, etc. it is very difficult to provide employees with a copy of their records. Even when files are stored within folders are created on a server, one for each employee, it is not a simple task to grant the employee access to these. If however all HR information is kept within a central database (and all staff understand the benefits of doing this and the problems associated with fragmenting HR information) it is then much easier to provide access to a copy of this information.
Employees must be given the right to have their personal information deleted
- The primary reason for including this in the legislation is to make it easy for individuals to have their details removed from the records of a supplier they no longer use, or have them removed from a mailing list they are no longer interested in.
- Where employee information is concerned, this normally only applies to leavers. It is normal for an organisation to retain some records for a period of time after an employee leaves (providing there is a clear justification for doing this). For example, where an employee has worked within a manufacturing role, it might be appropriate to keep records of the health and safety training they attended, together with records of the safety equipment they were issued.
- The period of time that the organisation keeps information of different types should be clearly specified in a data-retention policy and this should be referred to in the employees’ employment contracts.
How People Inc. can help
|
- People Inc. is a comprehensive HR system designed to managing all employee-related information. Virtually any information can be stored within the People Inc. system using one of the many standard screens or by creating additional custom screens using the Screen Designer. The system also enables users to attach documents to records (for example, Word documents, scanned documents, e-mails). By keeping all employee information in one central system it is far easier to control what is recorded and who has access to records.
- If personnel records and key processes are managed in a centralised system such as People Inc. it is then much easier to establish the scope of the personal information that is recorded on each employee. Reports detailing the extent of the records relating to an employee can be generated from the system (these are either standard system reports or templates available as downloads from the People Inc. Resources website).
- The People Inc. Employee Self-Service (ESS) module provides individuals with secure access to their information within the People Inc. database. If records are centralised within People Inc. each employee will be able to review their own information via the ESS. The ESS can also provide individuals with access to attached documents, and to reports that detail the scope of the information relating to their records (numbers and types of records).
- Update forms within the ESS enable employees to update key information within the People Inc. system. When a form is completed by an employee, the workflow rules within the system ensure that the appropriate staff are informed. Standard forms are available for all the usual updates, additional custom forms can be added to the system as required. A full history of the updates submitted by employees is retained within People Inc.
- Forms designed to help specifically with GDPR compliance are available for the People Inc. ESS. This includes a form to highlight changes that need to be made to details held within the system, a form to enable staff to object to the fact particular personal information is held, and a form to request that specific information be deleted. Using ESS forms to manage this information ensure that comprehensive records are kept and that each request is acted upon in an appropriate way.
- With all HR information centralised within People Inc. it is possible to enable employees to extract their records (into a PDF-format file or a spreadsheet) using functionality that is available within the ESS. Where information is recorded within file attachments, these can also be made available to the employee via their ESS login.
- Utilities are provided within People Inc. to delete employee records that are older than a specified number of year. Applicant information can be managed in a similar way.
|
People Inc. and GDPR Compliance
It is clear that an HR system such as People Inc. can help an organisation with GDPR compliance. Implementing People Inc. is an excellent way to centralise and manage personal information. This information will be secure, and it is possible to audit the information that is recorded, make comprehensive details available to individuals, and delete records when they are no longer needed. The system can also record details of GDPR information and GDPR training provided for employees.
But to ensure an organisation complies with GDPR they will need to use People Inc. in the right way. They will have to put the correct processes in place, they will need to make sure they train their staff to manage and protect personal information, and monitor how well staff do this.
“You can buy a new fridge, but this will not be sufficient to ensure that you comply with food-safety legislation. To comply with this legislation you have to use the fridge in the right way (make sure it is kept clean, and that the temperature is checked frequently). You have to have the right processes in place, you need to train your staff to prepare and store food safely, and you need to monitor how well they do this.”
Complying with GDPR is not about selecting the best HR software tool. It is about having the controls and processes in place such that you only record personnel information that is required by your organisation, that you look after this information and only use it for the purpose for which it was collected, and that you delete it when it is no longer needed.
Additional Information
External Resources
The following links provide additional information about GDPR. The links are to pages on websites over which we have no control. This information is provided for reference only.