A GDPR Compliance Guide for HR Teams

General Data Protection Regulation (GDPR) has everyone scrambling, but not to worry. Last week we gave a high-level overview of GDPR and how it may affect your HR team.

This week, we want to help accelerate your path toward GDPR compliance by helping unpack the regulatory details that matter most to HR teams. To get started, we’ve come up with two questions that will help gauge your compliance-readiness:

  1. Do you document the 5 W’s - who, what, when, where, and why - involved in your employee data processing?
  2. Can you quickly and efficiently respond to an employee’s data subject rights request?

Documenting Employee Data Processing

Keeping up-to-date records of all the ways employee data is shared and processed is the most important step HR managers can take to protect their company from steep regulatory fines.

As a rule of thumb, companies need to document each type of transaction where personally identifiable information (PII) is shared. Below are a few internal processes that require documentation:

  • A candidate applies to an open position at your company.
  • The candidate becomes an employee and completes their onboarding program through your HRIS
  • Your new employee signs up for benefits through a third-party benefits provider
  • An incoming request for and response to a verification of employment (VOE) or income (VOI)

Data processing documentation must begin as soon as a candidate’s information is input into your applicant tracking system (ATS).

Data Subject Rights

Data rights are central to the GDPR. In fact, there’s an entire chapter in the legislation dedicated to this topic. One of the most important data subject rights is the right to access information. When an employee, or candidate, requests information on how their personal information is being shared, it’s up to you to deliver that information.

Let’s walk through an example:

You get a request from a candidate, employee, user or customer in the EU to provide the information you have about them. What do you do?

First, you’ll need to compile a list of all the instances where his or her data was shared. At Truework, our internal team uses a simple spreadsheet to keep track of how we process employee and user data. GDPR requires companies to document all types of transactions where personal data is exchanged.

To make things easier, we’ve made our template available for you to use in your organization.

Now that we’ve referenced our data processing spreadsheet, we can see all of the instances where a candidate, employee, user or customer may have shared their personal information.

If you look closely, you can see that we’ve processed a subset of data through a third party vendor. In order to fulfill the data request, I’ll need to reach out to the vendor because they serve as the data processor in this instance.

Each vendor you partner with should be set up to provide you with a file of all the information they have on individuals processed on behalf of your company. The Facebook download your data tool is a great example of GDPR in action in the real world.

The last step is to communicate this information back to the individual who made the initial data subject request. According to the GDPR, this information needs to be delivered “in a concise, transparent, intelligible and easily accessible form”. So, we compile a spreadsheet that details how the requesting individual’s personal data has been processed through Truework and attach it to an email. Voila, compliance!

The right to access information is one of a few important data subject rights that HR teams should be aware of. Next week we’ll outline the rest to make sure you are GDPReady.

This is part 2 of 3 in our series on GDPR. Read part one here. Part three coming next week!

Subscribe

Subscribe to the Truework blog for the latest trends, research, and news around human resources.