The General Data Protection Regulation (GDPR) is a European Data Protection Regulation that aims to harmonize the data privacy laws across all European member states. UK enforcement of GDPR will commence on 25th May 2018, and will create new requirements regarding how all personal data is collected, processed and stored, including employee data.
As the legislation places tremendous requirements and emphasis on data transparency, management and security, here are a number of ways that implementing a Human Resource Information System (HRIS) can aid your compliance. While no HRIS system will ensure your business data processes are instantly GDPR compliant, it can be the first step defining the right policies in line with the legislation, and act as a foundation for appropriate data management. Choosing the correct IT Infrastructure or HRIS system to store your data should be a key step in getting ready for GDPR, as GDPR protection through technology should be ‘by design and default’ and not as an afterthought to your overall privacy policies.
Secure, Centralised Data Store
One note to mention when implementing a HRIS is that under GDPR, you will also need to know where your data will be stored by the HRIS. If your data is stored out with the EU, GDPR Chapter 5 requires you to ensure it is safeguarded to the same standards as it would be within the EU. For example, seeHR software stores your data in a secure data centre within the EU in London using Amazon Web Servers, who are themselves ISO27001 compliant. This removes the additional risk of transferring data outwith the EU and ensuring adequate protection is in place.
Strict Privacy Controls
With a secure, centralised HRIS like seeHR, you also benefit from strict, hierarchical and customisable privacy controls, dictating who in the organisation can, and can’t, view employee data. For example, seeHR has three visibility tiers as standard; Admin, Manager, and Employee. Administrators of the system can see all the data available, and Managers only see the data held regarding the employees they directly manage. This is a great benefit to using an online HRIS system, as who is able to view what data is determined by the Administrator. The System Administrator could be anyone in your organisation who you want to be responsible for adding employees and controlling privacy, such as the HR Director, HR Manager, Finance Manager, or Data Protection Officer.
seeHR’s three administration tiers also ensure a truly centralised single HR store, as Managers do not need to keep their own, seperate records or stores to manage things such as performance reviews and absences, as the system takes care of this for you.
Many HRIS systems offer each Employee their own account, where they themselves can access the data held on them specifically. For example, in seeHR, Employees are able to notify sickness, request holidays, manage or leave performance reviews, add documents, create employee logs, and view and update elements of their own personal information into the seeHR system. Some records, such as salary, holiday entitlement and contract type, cannot be seen or changed by employees themselves. However, elements like addresses, phone numbers and emergency contacts can be easily updated by the end user. This HRIS feature eliminates the need for a manual ‘change of employee details’ process, and reduces the likelihood of storing out of date or inaccurate data.
While Employees are able to log in and see their own data, only Administrators and Managers in seeHR can access employee data other than their own, with these permissions being entirely controlled.
Manage Data Subject Access Requests
Under GDPR, anyone is legally able to make a Subject Access Requests to request to see and have a copy of all the personal data held on them. Subject Access Requests (sometimes referred to as SARs) can be made both verbally or in writing, and you must respond to a request within one month of the initial contact. In the context of HR, this could be current or past employees, or job applicants, requesting to know the data held on them by your HR department.
While it is your organisation’s responsibility to outline your own policy of how you will respond to SARs, implementation of a HRIS system as part of your IT infrastructure can help you deal with these requests. As previously mentioned, a centralised store of data means that you can respond to a SAR with confidence that you are including all personal data records held on an individual.
In the case of seeHR, the system’s three visibility tiers also allow you to respond with confidence regarding who has had visibility of personal data, which would be the subject’s Manager and the System Administrator in the situation of a current or previous Employee making the SAR. Data can also be exported from seeHR into a CSV file, making providing a data copy to the subject hassle-free. Having one single store for all data with strict privacy controls within a HRIS like seeHR would mean that Subject Access Requests are much faster and easier to complete.
Gain Valuable Insights, Even With Anonymised Data
In some cases, for example, to comply with a Subject Access Request, it may be necessary to remove aspects of employee data that explicitly identifies the Subject. However, we understand organisations may still want to gain insights about their own workforce. Questions that a HR department may wish to answer may be ‘what employees are at a high risk of leaving the company?’, ‘how much would an employee leaving cost the business?’ or ‘what factors significantly increase employees’ risk of leaving in our company?’.
seeHR is a HRIS system that has a powerful, additional analytical capability to give you more insight into your employee turnover. However, to generate these insights to improve your business, some data is needed on existing and previous employees. In line with your own GDPR processes, your organisation can determine a specific length of time that is justifiable to keep data on previous employees before it is deleted, for example 2 years from date of leaving. However, if specific personal data is requested to be removed from the system before this retention period is up, an anonymised version, removing names, addresses and specific employee documents, can be kept within seeHR to still generate analytical insights, while removing personal details specific to a particular subject.
Easily Remove Data
When considering what data retention and removal, it may be appropriate to retain certain data records once an employee has left your company, in line with other legal requirements and specific business reasons. It is important for your organisation to identify what data is and isn’t necessary to retain, and then remove records that are no longer required. What data you should and should not retain will depend on your business’s and industry’s specific requirements, so you should look to identify your own obligations and create policies for these. Some data should also be deleted after being held for a specified period of time, for example, a period of time after an employee leaving or an unsuccessful job application. You should also take steps to identify what data you need to retain and delete, and how long you can justify retaining each specific record for.
Once you’ve identified what records you must delete, removing the identified data task becomes infinitely easier with a HRIS. As all your employee data is now stored in one central database, removing data you are no longer obligated to store is a more simple process than with disparate HR records. Administrators in seeHR’s software are able to delete any and all data on past or present employees that is no longer required to be held by the company, which complies with the GDPR ‘right to be forgotten’. As previously discussed, Employees can update elements of their own personal data too, so data is more likely to be accurate and up to date.
With seeHR, your HR data is completely managed by the Administrators and Managers you assign within the software, with Administrators having more control over the system. Data can also be exported into a .CSV file if for any reason copies are required. If you decide to delete your company’s account with seeHR, you can be assured all personal data relating to your company or employees would be removed. We would only keep data pertaining to the original licencing of the software and the details of termination and deletion of data, but not personal data used within the system.
In summary, HR software platforms like seeHR may not manage your data processes automatically, however, they give you tools and simplicity of a centralised, managed system that makes responsible processing and management of your data easy. There are a huge number of benefits to implementing a HRIS software to manage your HR data, all which help control data management, privacy and processes in a modern way that reduces risk and adds additional safeguards to your organisation’s own GDPR policies.
For more information on GDPR, please visit:
General Data Protection Regulation (GRPR) Articles – https://gdpr-info.eu/
UK GDPR Guide and Checklist for Organisations – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/
More Information about Subject Access Requests – https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/