GDPR and HR

Some of the most topical questions we’re asked at the moment are understandably regarding HR and GDPR (General Data Protection Regulations).

First of all, it’s important to clarify that no HR or recruitment software solution will ensure you’re instantly Compliant on how you handle employee data – or manage consent.

Outside of the integrity of the supplier and their security standards and data storage locations, it is your policies, not your system that will ensure Compliance.

But, dependent on their infrastructure, many HR systems will assist you greatly in meeting requirements in line with the right policies being defined.

HR professionals are concerned about the impact the GDPR will have on People Management and Talent Acquisition.

There are plenty of checklists online, official guidelines (UK and Ireland) and infinite pages of advice or legal notes.

How Will HRLocker Help You Meet Your Compliance Obligations

• EU Data Centres: First of all, HRLocker and HIRE, our Applicant Tracking System – are only hosted within the data centres located in the European Union.
• HRLocker uses the Microsoft Azure platform to securely store your data in Europe (Multiple Data Centre locations for extra backup and redundancy). We are happy to supply further documentation on our Information Security (IS) infrastructure and standards.
• Wider Information Security Standards: HRLocker is in the process of preparing for an audit of the latest, enhanced ISO 27001 standard. This ensures the highest possible levels of wider data security that both includes and goes beyond the GDPR specifications.
• Tools for the job: HRLocker does not make you Compliant – but it is an ideal instrument to help you ensure diligence and manage data appropriately.
• HRLocker Privacy Policy
• HRLocker Terms and Conditions Inc. Data Agreement and Policy Information

Think Beyond GDPR

You should check in your region about extra legislative requirements on data retention.

This might include data retention laws on what information you’re obliged to keep on terminated employees for wider legal reasons that might otherwise contrast or supersede ‘general‘ GDPR commitments that might be more appropriate to marketing or less specific business issues.

For example, with HR software systems that have a strong element of employee self-service in how they manage their personal contact details and similar data – is it reasonable to keep next-of-kin records following a team member’s exit from the organisation?

Perhaps it could be if there is a life insurance policy or pension attached to a deceased team member that can benefit their partner or spouse.

Another example is construction workers. In some jurisdictions, former workers’ records must be held indefinitely, in case they were ever in contact with Asbestos.

So such an organisation needs to retain their records but likely does not need to retain its receptionist’s data. Again. This is you meeting your relevant policies and obligations to be widely Compliant, not the system. The system just enables this customization to your specific case.

HRLocker allows you to trim down information retained to just tangible or legal reasons – and demonstrate that in ‘one bucket’.

How to Calculate ROI from HR Software

Setting Your Policies

Ultimately it is your policies meeting regulations that will make you Compliant.

Let’s take recruitment and retention of data for CVs you receive as an example. How long should you keep applicant details following a job application?

What is a realistic and justifiable period to retain this information in line with your recruitment pipeline’s lifecycle? Only you can define this, not the system.

Do you inform applicants what your policies are and why? (E.g., you might state in an automated response to applicants that you like to keep CVs for future or alternative opportunities you may have – and request their consent.)

HIRELocker is secure and will satisfy auditors ‘ security standards. But you will only be GDPR Compliant if you have the right policy – for appropriate reason and purpose – on how long you store the data.

If you are concerned about policy setting and Best Practices, please note that HRLocker offers First-Call HR Support on Professional price plans upwards. We are happy to assist you with setting up processes and are always interested to hear about your business case.

The HRLocker system is fit for purpose, but you have to define the policy template for retention periods – and why they are set to whatever period you agree and declare.

So, if you have a request to delete data, it’s easy to manage and demonstrate diligent handling and purging of data with a cloud solution like HIRELocker or HRLocker.

If you have disparate records in multiple systems and/or cannot refer to a supplier’s Information Security Standards then you are leaving yourself – and your data subject’s details – subject to vulnerability.

How HRLocker handles data

During a customer’s lifetime as an HRLocker client, HRLocker will act responsibly as both a data controller and processor.

HRLocker will never delete the client’s data – until an account is terminated – and then all data is deleted permanently from the system (although we will retain information such as that customer account’s financials to meet our record-keeping duties).

Therefore it’s your responsibility to manage the data held within the system. And to remove it and manage it responsibly once you have extracted it.

In summary

HRLocker will not make you Compliant. Only you can do that by setting the appropriate policies. But HRLocker gives you all the tools to manage data responsibly and demonstrate your levels of accountability and our integrity as a supplier. All data is stored in the EU.