image for blog post about HR software and GDPR

GDPR and HR

Brian McDowell Longer Reads

Some of the most topical questions we’re asked at the moment are understandably regarding HR and GDPR (General Data Protection Regulations).

First of all its important to clarify that no HR or recruitment software solution will ensure you’re instantly Compliant on how you handle employee data – or manage consent.

Outside of the integrity of the supplier and their security standards and data storage locations, it is your policies, not your system that will ensure Compliance.

But, dependant on their infrastructure, many HR systems will assist you greatly in meeting requirements in line with the right policies being defined.

HR professionals are obviously concerned of the impact the GDPR will have on People Management and Talent Acquisition.

There are plenty of checklists online, official guidelines (UK and Ireland) and infinite pages of advice or legal notes.

So, how will HRLocker help you meet your obligations?

  • EU Data Centres: First of all, HRLocker – and HIRELocker, our Applicant Tracking System – are only hosted within the  data centres located in the European Union.
  • HRLocker use the Microsoft Azure platform to securely store your data in Europe (Multiple Data Centre locations for extra backup and redundancy). We are happy to supply further documentation on our Information Security (IS) infrastructure and standards.
  • Wider Information Security Standards: HRLocker is in the process of preparing for audit of the latest, enhanced ISO 27001 standard. This ensures the highest possible levels of wider data security that both includes and goes beyond the GDPR specifications.
  • Tools for the job: HRLocker does not make you Compliant – but it is an ideal instrument to help you ensure diligence and manage data appropriately.

Here’s what a Data Centre looks like:

Some extra points to consider:

Think beyond GDPR

You should check in your region about extra legislative requirements on data retention.

This might include data retention laws on what information you’re obliged to keep on terminated employees for wider legal reasons that might otherwise contrast or supersede ‘general‘ GDPR commitments that might be more appropriate to marketing or less specific business issues.

For example, with HR software systems that have a strong element of employee self-service on how they manage their personal contact details and similar data – is it reasonable to keep next of kin records following a team member’s exit from the organisation?

Perhaps it could be if there is a life insurance policy or pension attached to a deceased team member that can benefit their partner or spouse.

Another example is construction workers. In some jurisdictions former workers records must be held indefinitely, in case they were ever in contact with Asbestos.

So such an organisation needs to retain their records, but likely do not have a need to retain their receptionist’s data. Again. This is you meeting your relevant policies and obligations to be widely Compliant, not the system. The system just enables this customisation to your specific case.

HRLocker allows you to trim down information retained to just tangible or legal reasons – and demonstrate that in ‘one bucket’.

HOW TO CALCULATE ROI FROM HR SOFTWARE

Setting your policies

Ultimately it is your policies meeting regulations that will make you Compliant.

Let’s take recruitment and retention of data for CVs you receive as an example. How long should you keep applicant details for following a job application?

What is a realistic and justifiable period to retain this information in line with your recruitment pipeline’s lifecycle? Only you can define this, not the system.

Do you inform applicants what your policies are – and why? (E.g., you might state in an automated response to applicants that you like to keep CVs for future or alternative opportunities you may have – and request their consent.)

HIRELocker is secure and will satisfy auditors relating to security standards. But you will only be GDPR Compliant if you have the right policy – for appropriate reason and purpose – on how long you store the data.

(If you are concerned about policy setting and Best Practice, please note that HRLocker offers First-Call HR Support on Professional price plans upwards. We are happy to assist you with setting up processes and are always interested to hear your business case. Just-for-Fun Read: If You Automate a Crap Process, You Just Get Faster Crap)

The HRLocker system is fit for purpose, but you have to define the policy template for retention periods – and why they are set to whatever period you agree and declare.

So, if you have a request to delete data, it’s easy to manage and demonstrate diligent handling and purging of data with a cloud solution like HIRELocker or HRLocker.

If you have disparate records in multiple systems and/or cannot refer to a supplier’s Information Security Standards then you are leaving yourself – and your data subject’s personal details – subject to vulnerability.

How HRLocker handles data

During a customer’s lifetime as an HRLocker client, HRLocker will act responsibly as both a data controller and processor.

HRLocker will never delete the client’s data – until an account is terminated – and then all data is deleted permanently from the system (although we will retain information such as that customer account’s financials to meet our own record-keeping duties).

Therefore it’s your responsibility to manage your data held within the system. And to remove it and manage it responsibly once you have extracted it.

In summary:

HRLocker will not make you Compliant. Only you can do that by setting the appropriate policies. But HRLocker gives you all the tools to manage data responsibly and demonstrate your levels of accountability and our integrity as a supplier. All data is stored in the EU.

We’d be happy to discuss this and any other business issues relevant to your People Management processes at any time. You can sign up for a 14-day free trial using the link at the top of this page. (No credit card required.)

GDPR and HR was last modified: April 18th, 2018 by Brian McDowell

Share this Post