A while back we hosted a webinar on the topic “How to take control of your HR data.” A lot of it revolved around the current legislation and EU’s data protection regulation (GDPR). The attendees showed an overwhelming interest, and several important questions arose, both during the live webinar and the days the followed. What better way to summarize our answers than in a blog post?
We have listed eight of the most frequently asked questions that we received. Enjoy!
Simply put personal data is any information that can be used to identify a living individual. Images of people are classified as personal data. The same goes for digitally stored audio recordings, even if there are no names mentioned in the recording.
We recommend a 7-step process to get you started and to map out your processes. As GDPR is quite complex by nature, you might be splitting hairs in some cases. Make sure to involve lawyers for individual guidance.
As an HR professional, you must know what information needs to be saved and for how long. The basic rule in the GDPR is to only store data for as long as necessary for the purpose for which the data was collected. However, there are certain exceptions where you as an employer must store the data longer according to the employment law. Some examples include:
Although there is no rule of thumb, compliance is about ensuring that personal data is handled securely based on current legislation. Ask your current vendor how their system is adapted to GDPR, where the data is stored, and how they work with data encryption. If the system was built after the GDPR was introduced, there is a greater chance that it is GDPR compliant.
You minimize the risk of spreading sensitive data if you use one system. If you use different systems that are integrated, the data is still going to be stored in several systems, all of which make their separate backups.
Yes, but you are required to obtain valid consent from the candidate where you state how long you want to store the application and contact information. It is up to you how long you want to store the data, but make sure to document it. When the consent expires, you need to obtain a new one to store it even longer.
It depends. An automatic test and screening feature is called automated decision-making and profiling. This is extra sensitive when processing personal data, which is why it is important to make a proper analysis of why you need to do this and if it is necessary. Read what the Data Protection Authority says about your case, make an analysis and impact assessment, and decide based on that.
Emails are considered unstructured material, which GDPR applies to as well. Here are some general rules to follow: