Data protection regulations are now in force, and they impose stricter rules on how companies handle personal data. One of the departments most affected by this is the Department of Human Resources. How will the regulations affect the field of human resources?
It can often be difficult to balance the privacy of the individual with the tasks that employers have to perform. To illustrate this, here are some key areas in which data protection regulations will directly affect the way the Human Resources Department holds individual data
- Data retention: Organizations should keep personal data of employees only for as long as necessary, and for the purpose for which they were received. Therefore, the details of candidates who did not succeed in the recruitment process should be removed, unless a candidate has given his express consent to the organization to hold his details. Also, employers should keep data only for a limited time about employee who left in order to comply with the data protection regulations. As a result, the recruitment procedures of the organization should be adjusted so that they also include procedures that relate to the process of leaving employees from the organization in the aspect of data retention.
- Targeted and pertinent Information only: Employers will be able to request data, if necessary, only from potential employees. If they request other data, they will need the explicit approval of the individual. Employees need to be sure that their employers are compliant with the data protection regulations. The Human Resources Department will need to examine with a very critical eye the information they hold in order to make a proper assessment of the information they are requesting.
- To demonstrate transparency and accountability: Employers will have to provide details regarding the storage and processing of employees’ data (what they store, where, for what purpose and how the processing is performed). They need to ensure that their employees know that they can access their data by creating an orderly process of ‘Request access to information’, free of charge, unless the amount of data requested is unreasonably large.
- Data will only be used for specific purpose: Employers may use the information of employees or candidates for the specific purpose they stated when they originally requested it. Personal information is not to be stored for future use without permission. If information is stored without permission, this may affect future recruitment processes and be in violation with the data protection regulations.
- Information security: One of the main purposes of the Privacy Regulations is to ensure that personal data will be properly maintained and secured. This requires paying close attention to two aspects.
- Access from within the organization: Access to the employee’s confidential information should be based on “The need to know”. Working closely with the Facilities/Infrastructure Department will become critical to finding the right balance between data storage and data protection from external threats.
- Access from outside the organization: When future employers change the data processing process and outsource it to data processing by an external source, they must choose a provider that offers a sufficient guarantee of information security.
And what about the right to be forgotten?
‘The right to be forgotten’ exists today under EU law, and when most people think of the right, they think of removing links from the Google search engine or the Facebook database. But, the right to be forgotten can also affect the information held in the file about employees. The need to deal with this right raises the need to monitor the information held in the human resources departments. This right may be relevant if employees find that HR departments hold more information than is necessary, even if this was originally requested in order to pursue a legitimate purpose.
Data Protection, or Privacy regulation, will have a huge impact on almost every aspect of the organization’s work and conduct for HR teams. This will require them to conduct a comprehensive review of recruitment and management policies and procedures. Now that the regulations are in place, it is essential that all organizations are aware of them and fully prepared for compliance. Failure to do so may result in significant financial penalties for the organization which is not.
Written by Etti Berger