8 frequently asked questions about HR data and GDPR

A while back we hosted a webinar on the topic “How to take control of your HR data.” A lot of it revolved around the current legislation and EU’s data protection regulation (GDPR). The attendees showed an overwhelming interest, and several important questions arose, both during the live webinar and the days the followed. What better way to summarize our answers than in a blog post?

We have listed eight of the most frequently asked questions that we received. Enjoy!

1. What is considered personal data?

Simply put personal data is any information that can be used to identify a living individual. Images of people are classified as personal data. The same goes for digitally stored audio recordings, even if there are no names mentioned in the recording.

2. What can I do to ensure GDPR compliance?

We recommend a 7-step process to get you started and to map out your processes. As GDPR is quite complex by nature, you might be splitting hairs in some cases. Make sure to involve lawyers for individual guidance.

• List all internal HR processes and how you perform them
• List places and systems where you store personal data
• Identify where any data breaches of leaks can be found
• Find out who can see what in your HR systems
• Examine whether the systems are GDPR compliant
• Make sure you only store necessary personal information
• If possible, store all personal data in the same system

3. What information am I allowed to store?

As an HR professional, you must know what information needs to be saved and for how long. The basic rule in the GDPR is to only store data for as long as necessary for the purpose for which the data was collected. However, there are certain exceptions where you as an employer must store the data longer according to the employment law. Some examples include:

• Period of employment
• Pension provisions
• Salary payments
• Employment contract
• Salary basis

4. What makes an HR system GDPR compliant?

Although there is no rule of thumb, compliance is about ensuring that personal data is handled securely based on current legislation. Ask your current vendor how their system is adapted to GDPR, where the data is stored, and how they work with data encryption. If the system was built after the GDPR was introduced, there is a greater chance that it is GDPR compliant.

5. In what ways is it better to have one system rather than several integrated systems?

You minimize the risk of spreading sensitive data if you use one system. If you use different systems that are integrated, the data is still going to be stored in several systems, all of which make their separate backups.

6. Are we allowed to store recruitment applications for future needs?

Yes, but you are required to obtain valid consent from the candidate where you state how long you want to store the application and contact information. It is up to you how long you want to store the data, but make sure to document it. When the consent expires, you need to obtain a new one to store it even longer.

7. Are we allowed to use tests that, without the intervention of any recruiter, automatically screen applications?

It depends. An automatic test and screening feature is called automated decision-making and profiling. This is extra sensitive when processing personal data, which is why it is important to make a proper analysis of why you need to do this and if it is necessary. Read what the Data Protection Authority says about your case, make an analysis and impact assessment, and decide based on that.

8. Is there something we need to think about when it comes to the use and storage of emails?

Emails are considered unstructured material, which GDPR applies to as well. Here are some general rules to follow:

• Can the information be transferred in another way, e.g. in a meeting, telephone call, or via another more secure transfer tool?
• Email is for communication, not storage. If you receive an email where personal data is unprotected, save it in another system (there must be a legal basis for this) and delete the email (and empty trash).
• Email only people who need to read the content. Do not CC unnecessarily and think through the content of the email before you add more people to the email thread.
• Do not send sensitive information in an unprotected email, even if the person in question has given consent.
• If you receive personal data that you are not allowed to process – delete!