Human Resources (HR): what's new with the GDPR?
Resumes, pay slips, social security contributions or even sick leave, human resources departments within companies are required to process significant quantities of personal data. This data is constantly increasing as new technologies are integrated: in addition to this initial traditional information, video surveillance images, geolocation data from company vehicles outside working hours, biometric data, and usage information provided by the technological tools used can be added.
The HR department, a hub for personal data
The human resources department, which is central to a company, therefore has large quantities of strategic data, but which is sometimes confidential or even sensitive information. In addition to the personal data of employees, which is collected throughout their career, from recruitment to departure, information is also stored on candidates, temporary staff, freelancers or consultants…
It was therefore essential that this sector was concerned by the new requirements set by the GDPR.
The GDPR regulation imposes new constraints on human resources
Only data that is strictly necessary for a particular task must be collected for that task. For example, it is forbidden to ask the applicant for his/her national insurance number or the job held by his/her partner. These data are neither relevant nor necessary at this stage. The data collected must be deleted quickly when it is no longer useful.
In addition, all staff must be informed of all personal data collected, as well as of all the ways in which it is processed or collected. It is necessary to obtain the consent of each member to collect and process their personal data. Of course, it is also necessary to respect their classic rights relating to their data, right of access, right of rectification, right to be forgotten…
Secure processing and confidentiality of data must be guaranteed, but also the choice of service providers offering guarantees of compliance.
Other important points: implement an internal HR charter, map and update a register of personal data processing, and carry out data protection impact assessments (DPA) whenever necessary. Finally, the last requirement is the hiring of an external data protection officer (DPO).
A study conducted by Markess reveals that for 77% of HR decision-makers, data confidentiality has a strong impact on their missions. Such changes necessarily modify many practices specific to human resources management, starting with recruitment.
Recruitment: GDPR regulations causing procedural changes
Recruitment has been modernised in many companies and firms, to the extent that it has been enhanced by artificial intelligence and big data in order to be able to conduct extensive searches and take into account many criteria to find the ideal candidate.
According to a Deloitte survey, 42% of respondents believe that artificial intelligence will be widely deployed in their organisations in the next three to five years, leading to significant performance improvements in many areas.
According to Romain Dionnet, Executive Manager at HAYS, coupled with artificial intelligence:
“big data makes it possible to refine research by cross-referencing data such as availability, mobility, remuneration, etc. at record speed. In just a few clicks, I will know out of 700 candidates who is mobile in the south of 91, whereas I would have had to make many phone calls to answer this question”.
However, the GDPR provides a framework for this new type of research. The consent of candidates whose information recruiters wish to add to their databases must be obtained beforehand. Candidates must be able to access the information collected by the company via a web page, and must be able to modify and delete part or all of this data. They must also be notified within 72 hours of any data leak.
Obtaining candidates’ profiles or resumes without their consent is therefore no longer an option.
A digital transition shaped by the GDPR
HR functions have embarked on a digital transition that is considered beneficial: according to a Markess study, 54% of HR decision-makers believe that giving a digital dimension to the HR function is a priority, and that it allows many processes to be automated while improving the function’s performance for 66% of them.
This evolution is obviously impacted by the GDPR, which requires close collaboration between HR and IT (information technology, the company’s IT department) in order to achieve compliant management of data storage and transfer within companies. A survey by the specialist recruitment firm Robert Half also announced that 7 out of 10 companies were planning to recruit to ensure the implementation and monitoring of the GDPR.
32% of French HR decision-makers are aware that the data protection obligation even obliges them to adapt their human resources management information systems (HRIS), according to Markess. Another report by IDC reveals that 33% of HR managers are concerned about data privacy and the GDPR, and 76% of them are influenced by this new regulation as well as other legislation on data privacy as criteria for acquiring a Human Capital Management (HCM) solution.
HR and GDPR, what are the risks and benefits?
If HR departments were monitored as a priority by the CNIL in 2018, being the subject of 75 inspections out of the 300 planned, it is surely partly because 16% of the complaints addressed to the administrative authority in 2017 concerned human resources according to its activity report. During such inspections, there are frequent complaints that certain data are kept too long, that unnecessary information is collected, and that certain annotations or remarks constitute a value judgement or are a matter of privacy. The files of applicants and employees or the means of informing them about their rights are also checked as a priority.
But apart from the constraints and sanctions, the GDPR also introduces the concept of co-responsibility. In addition to HRDs, all publishers or partners involved in the collection and management of personal data of candidates or company staff may be held responsible in the event of a complaint or problem related to this data.
In a European survey carried out by SD Worx before the GDPR came into force, 55% of respondents considered that the GDPR posed a risk to the HR sector and required them to put in place various solutions to comply with it. However, the same survey also revealed that the new regulation would bring clear benefits: 71% of Belgian HR professionals thought that improved data security would be one of the most important benefits.
A survey by Markess reports that ensuring data security is a priority for 97% of HRDs when it comes to managing their data by 2020, but they are already facing a new challenge with the implementation of the withholding tax and therefore a new piece of personal data that they have to process and protect: the tax rate of employees…