HR GDPR: What HR needs to know to manage the unique operational demands of GDPR
A lot (if not everything) has been said by now about the General Data Protection Regulation (GDPR) , the new data privacy legislation that addresses the rights of EU citizens when it comes to their personal data and introduces strict restrictions and obligations that apply to the usage of such data. Most articles deal extensively with the legal aspects (consent, fines, etc.). Others focus on the technology side, including the functionalities that SAP has built to manage the data lifecycle (managing access, retention, deletion or archiving of personal HR data). There’s some good information on SAP SuccessFactors’s recent efforts around GDPR here or on SAP HCM (articles from Patrick Neil around the GRC suite for SAP HCM).
Despite the great amount of information that has been shared about GDPR, very little has been written about how to apply the GDPR rules in day-to-day HR operations when you’re working on a HRIS such SAP HCM and/or SAP SuccessFactors. This is what this blog is about and any follow-up blogs are about. Subscribe here to receive any update.
Defining what GDPR means to HR
First, let’s define the scope of GDPR in relation to HR (I will call it ‘HR GDPR’): HR GDPR deals with processing data from your own employees, contractors and contingent workforce, but does not include data from customers, prospects, vendors, business partners, etc. Yes, HR GDPR deals with the data of your colleagues, co-workers, cast members, associates, team members, operatives, partners, representatives, apprentices, domestics, wage earners, blue or white collar employees … or any of the designations you may use in your HR processes.
HR data and Sensitive Personal Data often go hand-in-hand
The GDPR establishes a clear distinction between sensitive personal data and non-sensitive personal data. HR data is a clear focus of GDPR because it is most strongly correlated with the way the GDPR defines Sensitive Personal Data. The following logical corollary explains it:
- A large portion of HR Data is Sensitive Personal Data
- Most Sensitive Personal Data is HR Data
What rights do my employees have under GDPR?
Employees (as any other individual) has been granted an extensive set of rights:
The right to be forgotten
Employees can require their employer to delete their personal data when:
- the data is no longer necessary for the purposes for which is was collected;
- the employee withdraws their consent to processing and the employer has no other legal grounds for processing it; or
- the employee objects to processing and the employer does not have a legitimate business reason for processing which is compelling enough to override the employee’s objection.
There is also an obligation on employers to take reasonable steps to inform third parties that the individual has exercised their right to be forgotten, and to request that they erase any links to, or copies of, personal data belonging to the employee.
Right to object to processing
This right will apply in circumstances where an employer is relying on a legitimate business interest as the grounds for processing data (so called ‘purpose-driven processing’). Where this is the case, individuals have a right to object to such processing. When an objection is received, the employers must stop processing the personal data immediately, unless:
- they can demonstrate compelling legitimate grounds for the processing (e.g., payroll processing), which are sufficient to override the interests, rights and freedoms of the individual; or
- the processing is for the establishment, exercise or defense of legal claims.
Right to be informed
This right encompasses an employer’s obligation to provide fair processing information, typically through the use of a Privacy Notice and emphasizes the need for transparency over how the employer uses personal data. GDPR sets out the information that employers must supply and when the information must be supplied.
Right to rectification
Individuals are entitled to have Personal Data rectified if it is inaccurate or incomplete. If an employer has disclosed incorrect personal data in question to third parties, they must also inform the third party of the rectification where possible.
The employer must also inform the individual about the third parties to whom the data has been disclosed where appropriate and if an employee submits a request for rectification the employer must respond within one month. This can be extended by 2 months if the request is particularly complex.
It is easy to see potential for tension between employers and employees these rights may cause. Many employees may be suspicious about why their employer needs to retain historic information and put pressure on them to delete it (e.g., notes on performance reviews). There may also be a conflict between an employer’s need to retain thorough employment records and information (i.e., regarding previous disciplinary issues and working arrangements) and good data practice.
To make matters even more interesting, the law applies to both active and inactive or past employees. And that’s where it becomes more critical. Active (current) employees will very likely provide their consent to their employer to manage their personal data (e.g., for payroll processing) and the employer has legal ground to use that data (to calculate overtime, holiday entitlements, net salary, etc.). The company still needs to guarantee that the data is accessed and stored strictly limited to the purpose of the HR business process (such as calculating the salary) and by people who have a legitimate reason to do so. This is what is called ‘purpose-driven processing’. More on that later.
But what about inactive employees, such as former employees or pensioners? They have the same rights regarding how their data is accessed, stored or in some cases archived or deleted. In working with a large EU-based retail bank, we found that the numbers were staggering:
- 15.000 active employees
- 100.000 ex-employees, of which 70.000 were ex-employees who left the company more than 2 years ago
- 45.000 ex-employees are candidates for full deletion of their HR data
So, HR GDPR deals with access, usage and storage of current and past employees. As an SAP Service partner, Adessa Group focuses first and foremost (but not exclusively) on HRIS environments containing SAP HCM and SAP SuccessFactors as core HRIS and Talent Management systems. However, every company has a collection of systems that are fed by or interact with the HRIS. In the retail bank example I mentioned above, we found:
- Number of HR processes (across the board) interacting with Personal data: 230
- Number of Data Transfers Out of SAP HCM and SAP SuccessFactors: 200
- Number of End User Computing in HR dept with read, view and (sometimes) extract rights: 330
HR GDPR encompasses the operational aspects of having to manage all of this in a ‘business as usual’ environment, with as few as possible interruptions to day-to-day operations, yet maintaining compliance with the GDPR requirements.
What is HR GDPR Operations and how do you manage it?
In working with our clients on how to integrate HR GDPR tasks in their day-to-day business, we defined the following HR GDPR Operational Framework. It contains 4 key areas to manage:
HR GDPR Program: Management of the project to become and remain GDPR compliant, such as:
- Sensitive Personal data locations
- HR Process Register
- Key principles and policies on data lifecycle management, including: scrambling, retention, deletion, archiving, access & authorisations
- HR systems landscape and risk of data leakages (e.g.: due to unauthorized download of data (in Excel, etc.) or unmanaged transfer of data to 3rdparties
- Communications policies such as internal communication, Data Subject Reports (e.g. through self-service), Breach Notification processes, etc.
HR GDPR Operations: Management of all activities pertaining to the access and storage of (Sensitive) Personal data such as:
- Data & Processes: Manage Sensitive Personal data and HR processes within the HRIS landscape
- Access & Authorisations: Control log activities by HR and non HR staff, to check whether their access is all ‘purpose-driven’. There is a difference between having the right to access data (managed by authorisations) and accessing data with a clear purpose. More on this in a later blog.
- Data Transfers: Manage the HRIS landscape as well as document and manage all transfers in and out (to 3rdParties) that could contain Sensitive Personal Data
- Data Lifecycle: All activities pertaining scrambling, masking, retention, blocking, archiving or deletion
HR GDPR Communications: Which consists of an internal and external element:
- Internal communications: Manage the way (current and past) employees can request their data or how it’s being handled. This could include building a self-service portal to allow employees to make those demands.
- Breach notifications: In the case of a breach, certain data needs to be prepared for the Data Protection Officer (DPO) to share with the authorities.
HR GDPR Dashboard: A management dashboard containing an overview of all key activities and KPIs related to the HR GDPR activities of the company (or group).
The Adessa HR GDPR Cockpit Toolkit to manage your HR GDPR program
We will go into more detail about the operational aspects of HR GDPR in future blogs and will show you some tools Adessa Group has developed to manage this.
Use the subscribe link in the right column of this page to submit your email address and you will be notified of all blogs and news from the Adessa Group.