When I started working as an HR professional, from the very first day I had access to a vast amount of highly sensitive and confidential data. I had full overview of payroll details of the entire company, criminal records, employment history, medical information and performance records of my colleagues and managers. I had access to information I did not necessarily want to know about, and the kind of information that others might want to get their hands on. Basically, all documentation I work on as an HR professional contains personal data: name, date of birth, personal phone number, employment records, salary levels, bank account details, and so on.
Handling all these data comes with great responsibilities. It is my job, as an HR professional, to create an environment of confidentiality so that people – be it (ex)employees or candidates – entrust me with their most sensitive personal information and can be reassured that I handle their documents with utmost care.
Since 2018, there has been more pressure on HR professionals to safeguard the confidential files they handle and to make sure they don’t accidentally expose personal data. In this blog post, I’ll try to help you understand how the GDPR will affect this profession, and how Tresorit can help you manage online data in a GDPR compliant way.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a comprehensive regulation that unifies data protection laws across the European Union (EU). It sets strict requirements for companies and organizations for the collection, storage, processing and management of personal data. The GDPR can apply even if the company is located outside the EU. Organizations, irrespective of their establishment, that process personal data of individuals who are in the EU in order to offer them goods or services, irrespective of whether a payment is required, or to monitor their behavior within the EU will have to comply with the new rules.
Why HR professionals should care about the GDPR?
HR departments collect and process large amounts of personal data not only from their employees but also from job applicants, contractors and former employees. The information they possess includes sensitive data such as health information, medical records, salary levels. Hence, it is of utmost importance that HR professionals are aware of the requirements of data protection regulations and process personal data accordingly.
What is personal data?
Personal data is any information relating to an identified or identifiable natural person (data subject) such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person. HR professionals, by the nature of their work, deal with these kind of data most of the time. Resumés, employment contracts, payment slips, performance records all contain personal data.
How is the GDPR affecting HR professionals?
The GDPR requires organizations to take measures to minimize the amount of personally identifiable information they store and ensure that they do not store any information for longer than necessary. The GDPR also sets out that all data processing has to have a lawful basis, such as explicit consent from the data subject. While consent has been required previously as well to retain staff or candidate data, the GDPR requires HR professionals to ask for “specific, informed and unambiguous” consent. Furthermore, HR professionals are only allowed to use the data for the specific purpose for which it was given. Hence, employees must explicitly opt in to allow their employers to process their personal data.
What are the rights of employees under the GDPR?
HR professionals have to make employees fully aware of what personal data they process and for what purpose. HR also have to ensure that the personal data is accurate, complete and up to date and enable employees to access them. Furthermore, under the so-called right to be forgotten, employees entitled to require their employer to erase personal data held about them in certain circumstances. This can be the case when the data is no longer necessary for the purpose for which it was originally collected, or if the employee withdrawns his/her consent.
Are HR professionals responsible for data managed by third parties?
The information HR departments possess might be held or processed by third party systems, for example payroll processing or cloud-based HR management tools, or shared with third parties such as headhunting firms. However, HR professionals are responsible to protect personal data even if they use third-party services (data processors) to manage data on their behalf and have to make sure that these services only process data in a compatible way with the original legal basis. Hence, HR professionals need to understand all the data flows across their IT systems and should use services that provide the highest protection.
Do HR professionals need to notify data breaches to their employees?
Data controllers (the entity that determines the purposes, conditions and means of the processing of personal data) must notify personal data breaches to the supervisory authorities without delay, and no later than 72 hours after becoming aware of it. The breach also has to be communicated to data subjects if it is likely to result in a high risk to the rights and freedoms of natural persons. This notification requirement applies to employee data as well. Hence, employers need to notify employees “without undue delay” in case a breach affects their personal data.
What security measures does the GDPR recommend to protect personal data?
The GDPR prescribes that data controllers and processors must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including for instance the encryption of personal data. Moreover, the GDPR outlines the principles of Data Protection by Design, which means organizations must develop data protection processes and products with privacy in mind from the ground up, and Data Protection by Default which ensures that only personal data that are necessary for each specific purpose of the processing are processed.
What are the risks of non-compliance?
Companies that do not comply risk being fined up to €20 million, or 4% of their worldwide annual turnover of the prior financial year, whichever is higher. Less serious violations, such as having improper records, or failing to notify of any breaches, can be fined a maximum of 2% of their annual global turnover, or €10 million. Given the GDPR requires data controllers to communicate the personal data breach to data subjects if it is likely to result in a high risk to the rights and freedoms of natural persons, companies will also have to face serious reputational damage in case of a data breach.
How Tresorit can help HR professionals to handle data in a GDPR compliant way?
⇒ Even if you already work with a CRM system, you are probably still sharing documents with candidates, headhunters, or external training professionals in email attachments. Tresorit’s link-based file sharing allows you to replace unsecure email attachments and collaborate internally and externally in a secure way. You can share assessment results or contract drafts directly from Outlook with candidates who can instantly access them without downloading a software or creating a Tresorit account. In addition, Tresorit gives you control over the shared files as it allows you to set up download limits, expiration dates, or even a password for extra protection. Links can also be revoked in case they are accidentally shared with the wrong person. Therefore, a data breach that would result from, for example, sending an employment offer to the wrong recipient can be mitigated.
⇒ If you use a CRM system to manage data, and the data is not properly encrypted, in case of a data breach on the server side, personal data could leak. Hackers could also get into the database of the headhunter company you work with, and sensitive information about candidates on the job market could be revealed. With Tresorit’s end-to-end encryption this would not be possible. Even if the servers of Tresorit were hacked, no one could read the personal data in your files. As data can only be obtained in an unintelligible way – and as such is not considered personal data – you can avoid the GDPR’s requirement to notify authorities and affected individuals of the data breach in 72 hours, and to pay a heavy fine. In addition, your candidates can also be sure that you keep their interest in your company confidential and that information about their application cannot get out.
⇒ Also, if you hold or process HR data on third party systems, for example third party payroll processing or cloud based HR management tools, you are still the one responsible to make sure that that data is further processed only in line with the original legal basis. In the case of Tresorit, even if you have plenty of personal data in your files stored with us, practically no personal data is transferred to us. By keeping personal information within your company walls, you don’t need to inform or ask for the consent of your clients, staff or contractors for managing their data in files processed with Tresorit.
⇒ Tresorit allows you to ensure the privacy of your employees by limiting access to authorized staff only. This way, you can use individual folders to archive hiring documents (CVs, job offers, employment contracts, etc), deliver payslips, modify employee contracts, or protect medical and insurance records. You can create an HR folder for each employee that only they alone can access and keep them securely aware of what personal data you have on them. If you store these documents on your own servers, system admins or compliance team members might be able to access and look into them. With Tresorit, you can avoid this kind of abuse and ensure that no one but the employee concerned has access to her/his documents.
⇒ Tresorit helps you to ensure and demonstrate data confidentiality and integrity with permission settings which control that personal data is shared with only those who really need it for their work. This way you can make sure that only HR staff in charge of recruitment has access to, for example, candidates’ personal data in line with the the Principle of Least Privilege which limits information access only to users who need it for their work and are professionally trained to manage it.
⇒ Tresorit Advanced Control enables Tresorit Business admins to enhance the security of their organization by resetting their users’ lost passwords and revoking access from lost or stolen devices. This allows you to control user permissions for each project or personnel folder. You can for example, revoke access from contractors or assessment candidates after their assignment is completed. With these security features, you can also minimize the risk of a data breach that would result, for example, from a stolen device.
As you can see, with Tresorit’s end-to-end encryption and wide range of security features you can minimize the risk of data breaches and implement the principles of privacy by design and by default. Tresorit can help you avoid the notification requirement that would apply in case of a data breach, and you might also avoid fines up to 4% of your global annual turnover.
Furthermore, using Tresorit can also enable you to show your employees and candidates that their security matters to you and that you are taking serious steps to protect their personal data.