GDPR - One year later
Following our last year’s event around the fuss generated by the General Data Protection Regulation (GDPR), this week we discussed with our community on how things evolved and what is happening now, one year later. Together with Tudor Galos, we’ve discussed what are the main HR issues related to GDPR compliance.
1. Employee consent: As per the GDPR regulation, consent means that data are “freely given, specific, informed and unambiguous”. Because of the imbalanced employer - employee relationship, consent as a basis for data processing cannot be always correctly used. Don’t assume that for every processed information you need employees’ consent - start by making a detailed risk assessment and determine what’s the basis for data processing. Instead check legitimate interest or legal obligation basis.
2. CVs: data collected can be kept as long as it is necessary to accomplish “specified, explicit and legitimate purposes”. Once you have closed the job opening, you don’t have any legitimate purpose to keep the collected CVs. Instead, to be able to keep the CVs for a longer period, use a legal basis, such as: additional consent, legitimate interest (be aware of the LIA - legitimate interests assessment) or contract (in case of talent community platforms).
3. Data subjects’ right to be informed: information shall be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child”. It’s important to be open and mention what happens with your employees’ personal information: what data are used by which supplier and why etc. Be creative and fair! We all agree that GDPR might seem tedious, but if you present it in a creative and fun way (an infographic, video, stickers etc.), there is a high probability that you’ll make a difference. Here’s an example of a successful Privacy Policy explanation provided by EasyJet.
4. Suppliers: have a clear vision of who your suppliers are (REVISAL, recruitment agency etc.), and determine their roles: are they joint or independent representatives of controllers, or processors?
5. Photos and videos: Make sure everyone looks nice in these. Several good practices for specific cases:
- Photo on the access card: possible basis to be used is legitimate interest, as the employer or the landlord wants to limit unauthorized access into the building;
- Photos at corporate events: legitimate interest might be used, with the mention that employees have the right to refuse appearing in those pictures. Also, make sure everyone looks nice in the pictures;
- Photos for employer branding campaigns: sign a contract for the right of use of pictures. For digital channels is much easier, but for outdoors & TV the recommendation is to have a contract, otherwise financially speaking, it might hurt;
- Events for employees’ children (Christmas, Kids day etc.): create a form so that employees can voluntarily register them and their children for participation. Again, make sure everyone looks nice in the selected pictures.
6. Closed-circuit television (CCTV): Camera use might violate several rights of employees, such as the one for intimacy, for example. It is recommended to implement a DPIA (data protection impact assessment). In case of electronic monitoring systems, legitimate interest might be considered only if the company is compliant with the conditions mentioned by the law no. 190/2018 (art.5).
7. National identification numbers: Be aware of the data minimization principle and make sure that the personal data is processed in a secure and confidential manner. Never use the national identification number as password for accessing employees confidential information (Benefit platform, pay-slips etc). Appoint a Data Protection Officer (DPO) responsible for creating, implementing and reviewing the company’s Data Privacy Policy.
8. Data-loss prevention systems: these systems provide informational support and tools to help the implementation of GDPR: deleting personal information if no longer needed, restrict personal data usage, maintain data security standards, prevent personal data loss, identifying where the data are stored etc.
9. Employee empowerment: Train your employees and make them feel responsible for keeping data safe - sign an addendum to the labour contract, implement an internal data processing policy, organize training (online and in person), send newsletters, periodically test employees etc.
In conclusion, don’t assume! Instead make a proper research. Don’t do something just because others do it, and remember: Give Data Proper Respect.
Yours,
HR Hub Team