GDPR: 8 Human Resource problems

IRH was given the opportunity to be received by Xavier Leclerc to discuss the HR problems that are still underestimated in regards to the GDPR.

If a number of the large processes, projects and tools tried to evolve in response to the new imperative GDPR regulations, a number of situations or HR actions remaining today would be outside the scope and the law. IRH was given the opportunity to be received by Xavier Leclerc to discuss the HR problems that are still underestimated in regards to the GDPR.

Xavier Leclerc is the CEO of the group DPMS (Data Privacy Management System), the pioneer in the protection of personal data.

As the first DPO (Data Protection Officer) en in 2001, he Xavier has not ceased to bring his vision and creativity to the industry over the last 20 years. He is known for inventing the “sharing and pooling” principal, and is now developing the “management” principal of “management” (accompaniment: long duration). He brought life to the software ‘Privacil’ a tool that centralises the GDPR governance by facilitating the implementation and monitoring of company compliance.

Xavier Leclerc executes his profession with passion. His only thoughts are to share his knowledge in this technical domain and exchange on related topics. It is for this reason he is the founder and President of the Union of Data Protection Officers as well as a founding member and Honorary Vice-President of the French Association of Correspondents and the Protection of Personal Data.

As a result of our discussion we invite you to examine eight HR problems as well as their operational solutions in the short to medium term.

1. Employment contracts

The problem:

There is an overwhelming majority of employment contracts remaining today that are non-compliant with the GDPR. To conform they must be edited and to include an informative clause stating how data will be treated as well as the collection of personal data and the employees consent. (For image rights and the transmission of data to IRP only).

Potential solutions: 

Creation of an internal notice previewing the employees and employee representative bodies (CSE, Unions) of all treatment actions that will be put into place. Integrating an information collection clause in the employment contract for new recruits.

2. The register of processing activities
partial view of african american businessman using laptop with internet security illustration in car

The problem:

Making an inventory and compiling the register of treatment activities is compulsory for all companies, no exceptions. The GDPR does in fact offer exclusions to structures employing less than 250 personnel, except in the instance that they perform recurring processes such as payroll. Therefore, no company is exempt from GDPR for keeping the register.

Potential solutions:

The National Commission of Information and Liberty (CNIL) proposes preliminary methodologies and examples of registers on its website. It is also possible to seek council from a specialised consulting firm proposing audits, trainings, accompaniment and even dedicated softwares such as Privacil. The presentation of this register to the representative personnel allows a second compliance to be met, all in response to the obligations under the labour law.

3.Employee representative bodies

The problem:

Xavier Leclerc The Employee representative bodies (union) are an entity juridically independent of the company, so I always ask this question: for Mother’s Day or other celebrations your union may organise gifts for employees, but how will they access the necessary information about them? Nine times out of ten the response is that the HR department provides this information via an excel file or e-mail. These are two penal infractions: personal date distribution to unauthorised third parties and misappropriation”.

Potential solutions:

For new recruits it is recommended to add to their personnel file an information clause and the consent to data collection to be redistributed to the social committee of the company. Another solution: ask the social committee to develop its own information collection form to be attached to the personnel file like a mutual purpose form. Therefore, shifting the responsibility onto the employee and avoiding two penal infractions.

4. Securing your processing register

The problem: 

The GDPR introduces risks both financial and social. The reporting formalities have been replaced by the registering of processing, presented to the representative bodies and often in the form of an excel file. As an excel file remains both falsifiable and modifiable, if it is not printed and stamped at each deadline, it is imperative that this type of document is secure.

Potential solutions:

Opt for a dedicated Data Privacy software permitting the recording of who has access, who has connected and where information has passed, who has validated these actions and the history and traceability of all processing. Providing non falsifiable information before the courts, this software responds to the accountability requirement and cancels the social risk.

5. Hiring and Recruitment

The problem:

The purposes of the processes between recruitment and hiring are often confused. For example: recruitment forms may collect data such as salary expectations, diplomas, background and contact details to prepare for interviews. They would however, never collect security social numbers or physical data (in anticipation of ordering safety equipment or uniforms). For hiring purposes personal data is often conserved longer than necessary at the end of processing (for example: the copy of the social security card in the preliminary hiring statement).

Potential solutions:

In the context of the preliminary hiring statement, once the process is completed and validated (1month), items in the personnel file are not to be kept. Unless there is a reason in which they are required (renewable training) copies of diplomas are not to be kept. A disproportionate collection of personal character data is not to be collected. For example: don’t ask for copies of driving licenses and the number of points the employees have left, rather provide an engagement statement requesting employees to keep up to date with the renewal of their licenses.

6. Data conservation

The problem:

The data retention period remains long and complex. A number of companies are not in total compliance with the regulations, and the co-responsibility held by sub-contractors is not to be forgotten. The mapping out of the multiple durations of conservation can often lead to missing elements. One of these often-neglected elements refers to the conservation of recordings of Board Meetings. In addition to the question of conservation duration, we must also look at where to store the data. Is personal data to be stored with the HRD? Is it secure? Does the facility maintenance agency have a confidentiality agreement with the company?

Potential solutions:

Extracting the data to be conserved from the active base and placing it in intermediary archives with different access (for the legal department or the HRD in the event of an industrial tribunal litigation). For hard copy archives, securing access with a storage option allowing limited access for HR in the event of a litigation. In the absence of a lawsuit, after 5 years we purge everything, payslips included (particularly in the private sector unless the conservation of these documents is necessary in regards to retirement). 

In addition, the compliance of all providers (at least the addition of an amendment to their contracts with a strict confidentiality and security clause).  Providing the HRD with document shredders. In the example of Board Meetings, once the official written records have been validated (at the next board meeting) the recordings can be destroyed.

7. Employee clearance

The problem:

The formatting of employee clearances is generally not addressed in a sufficient manner. In the event of an audit the CNIL would demand the job descriptions and their clearance level, both on the level of HRIS as well as the global clearance of the company. The procedure “arrival-departure-absence-employee-transfer” doesn’t exist in a number of structures.

Potential solutions:

Draft an “arrival-departure-absence-employee-transfer or “employee development” procedure with your DPO. The target is to supervise the authorisations in creation as well as deletion to ensure that access is uniquely provided at each career stage and to take back the control on the attribution of clearances. Temporary, work-study and intern positions are not to be dismissed from this process. Refine the access mapping for the HRIS in writing, in modification and in reading.

8. HRIS providers

The problem:

Managing the software updates, an HRIS provider can access personal character data and can be considered as a subcontractor.  Personal character data can be sent to the provider for development testing. Only host the HRIS with certain software publishers, in case of security breaches and data violation the provider must notify the processing company without delay. This company will in-turn notify the CNIL within 72hours.

Potential solutions:

Re-work the contract with the HRIS provider to include all the co-responsibility and security clauses. Supervise the processes linked to maintenance if it is carried out by the provider. Specify and ensure that there is an understanding between your company and the provider that any security leaks must be reported immediately. The provider has technical responsibility and is the forefront representation in the event of a security breach.

IRH would like once again to thank Xavier Leclerc and DPMS for their welcome and the high quality of our exchange that allowed us to identify these eight subjects and the leads to explore in order to resolve them.

Pierre Jeambrun

Pierre Jeambrun

Spécialiste de la formation & RGPD

Testimonials

Make an appointment

Merci pour votre inscription!

Vous pouvez accéder le replay du webinar “Bien choisir son SIRH en 2021” en cliquant sur le bouton ci-dessous :