With the GDPR deadline just around the corner (May 25th 2018) it’s likely that you and your company have already begun the tasks associated with understanding, auditing, changing and communicating all of your data processing requirements. One of your most relevant data sources will have you turn your attention to your human resource 'systems' and how you decide which data needs to continue to be processed and what your data retention rules should be.
With so many providers of HR solutions, whether they be cloud or on-premise, how can you be sure that your current, or potential provider of HRIS is doing everything that they could possibly be doing to ensure that they are helping you, their client, with your needs to ensure compliance with the new GDPR rules?
You may be surprised at how many seem to be doing very little, or the bare minimum, or nothing at all. As an example, does your supplier provide you with the necessary functionality that allows you to decide what data is visible to whom and allow different Manager users to have different access rights and permission set profiles?
In other words, is a Manager's view of their team fixed and are you happy with what they can both view and do with the data that is being presented to them? This is worth checking after you've established what data you wish to present to users, as you could be left in a situation where there are gaping holes in your data protection policies – holes which could be costly and even detrimental for your company.
We masqueraded as a mystery shopper one day last week and were told by one HR software vendor, “yes, our system is fully compliant with the GDPR, you can delete an employee record at any time.” But what if you need to delete some information but retain others? What if you need to anonymise some data while retaining it for a specific time period before it is scheduled for deletion?
Another HR software vendor we spoke to exclaimed, “you’ve got nothing to worry about, we’re ISO27001 accredited” - all well and good, but what are you doing to help me? Data security is one thing, and no one ought to trade in our space without the correct procedures and capabilities in place to ensure the protection of your valuable data, but is your supplier giving you the functionality to ensure that you can more easily and successfully comply with the GDPR?
Here's some details of the new GDPR rules and regulations which you need to be fully aware of when selecting or reviewing an HR system.
The Right to Erasure:
Candidate Records: a candidate for a vacancy must be able to choose to ‘opt in’ to their data being held, as well as being fully aware as to where their data with be retained. Having been unsuccessful in securing the job, their data can be scheduled for deletion within a specific time frame, and they must be fully aware what this time frame will be. Employee Records: HR and managers must be able to set their own rules to uphold what has been agreed to within their data retention policy, meaning that they can define what and when data is retained, anonymised and deleted.
How Youmanage Helps: Youmanage provides your candidates with the option to ‘opt in’, and for you to schedule specific pieces of data for deletion at specific times. This works for candidates and current employee records – you can set your own rules in line with your own data retention policy.
The Right to Data Portability:
The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services. It allows them to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
How Youmanage Helps: Admin Users will have the ability to export employee data, including all associated documents.
The Right of Access and Rectification:
Under the GDPR, individuals will have the right to obtain: confirmation that their data is being processed; access to their personal data; and other supplementary information – this largely corresponds to the information that should be provided in a privacy notice (see Article 15).
How Youmanage Helps: Self-Service users are able to view, check and request to update their own information held within the application.
So what can you do to determine what a provider is doing to help you with your need to comply with the new regulations?
Make sure to do a full and in-depth audit of their software and check for the following capabilities: To have the ability to only show certain and specific data for specific users, so as not to breach your own data protection policies Enhanced permission sets (access rights) – it’s likely you will need the ability to be far more granular with user permissions, i.e. having only a general ‘Manager’ access could allow certain managers to access more information than they have a legitimate business need to access. You, therefore, may need higher levels of configuration possibilities providing you with absolute control over your own system settings than some HR systems have the capability for. Data retention rulesets – instead of simply having the ability to ‘delete’ an employee record, it would be greatly beneficial for your system to be able to schedule what and when data is deleted after an employee has left your company – this is because you may wish for some data belonging to an individual employee to be deleted sooner when compared to other data under the new regulations.
How else can we be sure that they are doing all they can to prepare for the GDPR?
Check their subscription agreement document – usually available on a vendor’s website, often as a link at the bottom of the page, this will give you insight into how up-to-date the current terms and conditions/agreements are, and whether or not it holds mention of their obligations under the GDPR. Ask questions at every stage – whether it be your current provider, or a potential new software system you are looking to implement, make sure to question every stage of the process, especially in relation to the GDPR, to ensure the necessary capabilities are available to allow you to comply.
Did you find this article useful? Youmanage HR provides a software system which assists you fully with your needs to ensure compliance with the new GDPR rules, specifically for HR. If you'd like to find out more about how we are helping businesses worldwide comply with the GDPR, request a demo, or get in touch to ask questions.