HR and Data Protection – The Complete Privacy Compliance Guide and Tips for HR
HR personnel handles both personal and sensitive data. If that data gets into the wrong hands, that’s terrible news for everyone involved. This can lead to enormous liability – both legally and for the business’ reputation. It is crucial to understand the risks and proper data practices.
What types of personal data does the HR department process?
Human resource professionals and managers work with lots of personal data as part of their daily tasks and activities, from personal data of potential candidates (CV, background checks, etc.) to ongoing personal data of existing employees (performance reviews, health-related information, pay levels, etc.).
This is why any HR personnel must understand the importance of privacy measures while working with such data. For this reason, we have prepared a quick guide for the HR who are newbies to privacy.
Most privacy legislations differ between personal data types. Personal data includes everything that identifies an individual (email address, name, ID, etc.), while sensitive personal data involves things that a person might don’t want other people to know – beliefs, social security number, health data, etc.). Of course, the level of protection of sensitive personal data must be higher.
How can the HR department protect personal data of employees?
Understand the types of personal data you are working with.
In most cases, the HR department handles an enormous amount of personal data. This includes processing sensitive personal information such as background checks, health-related information, pay levels, etc. Sensitive personal data must be handled cautiously since its exposure has crucial outcomes for the data subject and the company itself.
Be familiar with the relevant privacy protection policies related to HR.
Processing of sensitive data requires employers to establish processes and procedures to secure and safeguard sensitive employee data. HR should be familiar with important policies, such as the employee privacy notice and the job candidate privacy notice.
- The employee privacy notice is an internal document that explains to employees the “what, how, where, why and when?” regarding how a data controller (the employer) processes their personal data.
Protect the privacy of the job candidates.
A job candidate might share an extensive amount of personal data with the HR department or outsourced recruiters that the company hired. Such personal data might include CV, references, cover letters, and more. Whether a candidate is ended up hired or not – isn’t important. Any personal data must be handled properly and according to the Job candidate’s privacy notice.
- The job candidate privacy notice is an external document that the company shares with potential candidates who send their resumes. For example, if there’s a specific career page on the website – it’s necessary to add a link to the job candidate privacy notice next to the submission button. This way, candidates could review how the personal data they submit will be handled.
Hold on, what is processing?
Processing is a broad term and includes (amongst other things) collecting, recording, storing, amending, reviewing, using and deleting personal data. Employers process a vast array of employment-related data. Under the GDPR (The General Data Protection Regulation – a regulation in EU law on data protection and privacy), they will have to be more transparent and open than ever before about such processing.
Cooperate with the privacy team to maintain awareness among the employees.
HR has a crucial role in helping the privacy team ensure that employees are aware of the organization’s privacy vision and privacy risks. Such cooperation helps the entire organization avoid external data breaches and internal-caused breaches by human error.
What Happens in HR Stays in HR.
When in doubt – don’t share. Anything specific to an employee and doesn’t need to be known except by those who have a “legitimate need to know”, should not be shared.
Indeed, employers sometimes choose to share their personal information and discuss their high paycheck or amazing benefits. Still, while employees are happy to overshare online, HR must keep their information private.