General Data Protection Regulation (GDPR) adopted by the European Union (EU) in April 2016 to safeguard an individual’s personal data will be effective from May 2018. This regulation supersedes the current Data Protection Directive (DPD) and will apply to all 28 members of the EU. As a first step towards this change, organizations are evaluating their current business processes and technical controls for securing personal information. It is expected that many existing processes would require changes in order to meet GDPR requirements.
Let’s look at what various GDPR requirements would trigger changes to the HR tech software.
- Consent:
Before collecting any kind of personal data, the data controller must have proper consent from the data subject. The consent should be very specific as to what data is to be collected and where that data is to be used. Also GDPR provides additional advantage to data subject where he/she can withdraw the consent at any point of time. - Privacy by Design :
GDPR insists on minimizing the privacy risks of the data. Data controllers are required to implement appropriate technical and organizational measures in order to ensure that data protection principles are met. - Quantity of data:
According to GDPR, data controllers should collect only appropriate and right amount of data from data subjects. For example, considering HR Tech domain, if an employer wants to get his employees’ personal data, then he should collect only relevant data and not more than that. - Right to erasure:
When the data provided by subject is no more relevant or useful to its intended purpose, then GDPR provides a right to the subjects to ask controllers to delete/erase that data. Also, whenever any employee leaves any company, then after his off boarding process he can ask his employer to erase his personal data. - Right to access:
GDPR allows the data subjects to know whether their personal data is being processed, where and for what purpose. Also on request, data controllers will need to provide an copy of personal data to the subjects in an electronic format. - Data Portability:
This right allows data subjects to export their own personal data from one data controller to another. For example, after off boarding of any employee, GDPR allows the employee to take all his personal details in machine readable format directly from one employer to another.
To support above mentioned regulations, HR Tech system will have to implement different provisions in their solutions. Some of them are mentioned below:
- Should be able to identify Personal Identifiable Information (PII) that has to be protected under GDPR.
- Store metadata information on how this PII is being processed. Who can access the data, what data can be shared, where the data is stored, whether data is being accessed outside EU and which all processes are going to use the data.
- Pseudonymise the data so that it is not readable without providing the additional information. This additional information needs to be kept separate from the data.
- Design the systems in such a way that only required personal information is accessible to different processes and only relevant information is shared that is required for processing
- Store the personal data such that it is loosely coupled with the processes and easy to be erased without impacting the system.
- Personal information should be easily accessible by the data subjects and they should be able copy it on an electronic media.
- Implement way to detect data breach and notify to respective stake holders.
Under GDPR, companies will under certain circumstances be legally required to carry out a Direct Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA) prior to the implementation of a technology or prior to the application of a product. Under some circumstances, companies may need to appoint Data Protection Officers (DPOs) to comply with GDPR guidelines.
HR Tech solution providers around the globe impacted due to GDPR guidelines have started adopting those changes. Some basic requirements like right to erasure, data portability and privacy by design may turn out to be complete redesign of the existing solution. If you have not yet started to validate your HR Tech solution with GDPR, its better than to be late.