In part 2, we talked about steps to creating GDPR-compliant data privacy policies for your organization. In this final installment, we will look at the steps to take to ensure your organization and vendors who process data for you are on the road to compliance.
According to a recent Forbes article, 96 percent of businesses with operations or employees in the UK, Germany, and France admit that they are underprepared for the General Data Protection Regulation (GDPR), despite the law becoming effective May 2018.
To comply with the GDPR, your organization will likely need a data protection officer, you will have to review and revise your employee agreements and any policies related to employee data, terms of use and privacy, and review your third-party vendor agreements along with their data security processing policies and procedures. It’s important to note that the responsibility for compliance does not fall solely on the vendor – it’s the primarily the business that shall be fined if using a software tool in violation of the new data privacy rules.
Most importantly, you will need to identify what personally identifiable information (PII) you have, how it gets processed and stored, and then educate your staff on the new requirements related to security and privacy.
When it comes to PII, the HR department is sitting on a treasure trove of names, addresses and phone numbers plus social and health insurance numbers, credit reports, payroll and bank account information – rich targets for hackers seeking valuable information for identity theft.
**GDPR compliance starts with awareness, and requires asking new questions regarding how and why data is received, processed and stored**. Take stock of what data you collect, map how that data moves through your business process, and identify where it gets stored. Do you really need the data? For how long? Who has access to it? What protections are in place to secure it?
In part 1 we covered what constitutes personal data, and determined that EU employee information falls clearly into this category. In part 2 we highlighted the fact that the GDPR requires gaining consent from the data subject (for this discussion, your employee) for what data you are collecting, why and what you are doing with it, along with the requirement to protect it.
In many cases, you may find you are storing some personal data for no good reason, and can dispose of it once you are done with it. You may also discover that you can protect privacy and retain important bits of data at the same time.
Under GDPR, there are three broad categories of data:
- Personal data. Personal data is any information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
- Anonymous data. Anonymous data is any information from which the person to whom the data relates cannot be identified, whether by the company processing the data or by any other person.
- Pseudonymous data. Pseudonymization is a form of de-identification. Some sets of data can be amended in such a way that no individuals can be identified from those data (whether directly or indirectly) without a “key†that allows the data to be re-identified. A good example of pseudonymous data is coded data sets used in clinical trials.
The GDPR recognizes the privacy-enhancing effect of data anonymization by providing exceptions to many of the most burdensome provisions of the regulation when steps are taken to de-identify personal data. The GDPR also allows controllers and processors who pseudonymize personal data more leeway when it comes to processing the data for a purpose other than the one for which they were collected.
According to Germany’s Federal Data Protection Act, “rendering anonymous†means “the modification of personal data so that the information concerning personal or material circumstances can no longer or only with a disproportionate amount of time, expense and labor be attributed to an identified or identifiable individual.â€
In other words, companies can store employee data that is not perfectly anonymous, but sufficiently anonymous such that privacy is preserved without considerable technical time and expertise. In other words, if you cannot identify a person from the data (either directly or indirectly) then the GDPR rules shall not apply.
Additionally, the GDPR allows for pseudonymisation of data to satisfy the requirements of privacy, commonly referred to as “privacy by design.†Using pseudonyms instead of personal data means one cannot identity a person (again, directly or indirectly) without a corresponding “key.†An example might be encrypted data, or data for clinical trials in which the subject identity is coded. Such keys must be secured and kept separately from the data.
**By making it impossible or impractical to connect personal data to an identifiable employee, companies are permitted to use, process and publish such information in just about any way that they choose**. For many of your business processes, whether managed internally or by a third party, employing these techniques will make compliance much easier.
HR and communications leaders are often overloaded with rapidly changing demands, from educating and informing employees, onboarding new employees, managing benefits programs and participation, to encouraging and monitoring employee engagement.  Adding the important responsibility of protecting the privacy of personal data related to employees, candidates and contractors might be easy to ignore or push off as a job for the IT or legal departments. But with GDPR, the rules of engagement with personal data have changed, and the biggest threat to compliance is your own employees access, use and potential inadvertent disclosure of such data. For those of us who work with employee PII every day, communication and education regarding the new responsibilities is the first step forward.