GDPR in practice

Frequently asked questions from the HR department

With digitalization of the HR department comes streamlined processes, but be aware of the security risks. There are some areas where you need to pay extra attention in order to keep the security level high and in line with the GDPR legislation. In this article we will walk you through how you can stay on top of managing your HR processes digitally. As always when it comes to legal matters, it is wise to seek assistance from a lawyer.

Frequently asked questions from the HR department:

Can I keep job applications?

Do you know how long you can store job applications after a recruitment is done? GDPR has principles of data and storage minimization which means you should only store information if necessary, and only for as long as the information is needed. A candidate can file a complaint up to two years after a position has been filled, if they feel they have been subjected to discrimination during the recruitment process. 

How to handle the storage of job applications:

• Store information that is needed to show how your thoughts went and why you chose a certain candidate during the recruitment process – things like competence, education and work experience.
• Do not store addresses or id numbers
• Minimize the risk of leaking information by keeping the applications in a safe place after the recruitment process is finished.
• Only let 1–2 people have access to the information.

What are the rules regarding notes from employee conversations?

Notes from employee discussions and interviews can only be stored for as long as the information is relevant to you and the company.

How to handle employee notes: 

• Inform everyone why you store the notes and for how long

Dispose of information

There will be times where you will need to get rid of personal data. Set up a system for regularly checking what data is being stored, and processes for how to dispose of information in order to stay GDPR-compliant.

Always ask yourself this question:

Is there any legal purpose or cause for storing this data?

If the answer is no – delete, anonymize or pseudonymize.

Deletion

Delete all personal data that you don’t longer have, or will ever have, any use for.

Anonymizing

Anonymize the data in those cases you would like to store them for research purposes, or for statistics.

Anonymizing data is an irreversible process. It should be impossible, or extremely difficult, to identify the person to whom the data belongs. Anonymized data is no longer classified as personal data and is not covered by the GDPR-legislation. However, simply removing one person’s name is not sufficient to achieve anonymity. 

Pseudonymizing

When you dispose of personal data through the process of pseudonymization, some form of supplementary information is required to determine the identity of the individual behind the data. Often, a code or a key is necessary to access the data, and this is usually stored in a secure location accessible only to a few authorized persons.

Making the right choices should be easy

GDPR requires you to have control over all personal data within your organization. It is up to you to ensure proper handling of the data. With the right HR system, it is a breeze. 

As an administrator in Hailey, you can set up your own rules for storing personal data to make sure you do not retain information longer than necessary.