Personal data collection practices in companies should experience disruption as the new EU General Data Protection Regulation (GDPR) is set to come into force in May 2018. HRDs are particularly affected by this reform. Companies will have to demonstrate they protect their employees’ personal information and verify employee consent regarding data processing. Talentsoft has introduced safeguards and best practices for HRDs to support its customers and guide them through these new regulatory obligations. 

Twenty years after the entry into force of its analogous Directive, the European Union plans to strengthen the protection of personal data.¬†This major change brings radically new principles, but also a certain number of vague terms that are open to several interpretations‚ÄĒsometimes to the detriment of legal certainty for companies.¬†

Basic principles (Article‚ÄĮ5)¬†

In short, the Regulation requires a true corporate culture change. The new obligations mainly build on preliminary formalities (Article 5) and on the creation of reporting and control mechanisms. The obligations follow a responsibility and transparency-based approach. In other words, they involve: 

  • Taking data protection considerations on board right from the moment a service or product is designed (by default)¬†¬†
  • Developing internal systems, measures, and mechanisms to guarantee optimal protection for the people whose data is being processed.¬†

What this changes for HRDs 

In practice, this means that HRDs will need to: 

  • Draw up a list of their data processing operations¬†¬†
  • Assess their practices and establish certain procedures (breach notification, complaints management, etc.)¬†
  • Identify risks associated with data processing operations and take necessary measures to prevent them¬†

To do this, HRDs will use the following tools: 

  • A personal data processing register as well as internal documentation¬†
  • Personal Impact Assessments (PIAs) for high-risk data¬†

Measures to ensure GDPR compliance 

The following recommendations were put forward by the French Data Protection Commission (CNIL):  

1/ Nominate a data protection officer 

Any private company whose core activity involves monitoring personal data must designate a data protection officer. The officer’s role is to: 

  • Monitor Regulation compliance¬†¬†
  • Advise the company on how to undertake impact assessments¬†¬†
  • Cooperate with supervisory authority¬†
  • Draw up a list of the company’s data processing operations¬†

 2/ Mapping 

This involves accurately identifying what your company uses its employees’ personal data for. A record of processing activities can be kept to this effect. It contains:  

  • Information about the purposes personal data serves¬†
  • Pursued objectives¬†¬†
  • The name of the data processing body or bodies, i.e. service providers and subcontractors¬†¬†
  • The origin and destination of personal data (can be outside the EU)¬†
  • The date until which the personal data is stored¬†
  • The location where the personal data is stored¬†
  • The security measures taken to protect personal data¬†

 3/ Prioritize according to risks 

The personal data processing operations carried out by your company implies systematic and large-scale surveillance of your employees’ personal information. It is therefore important to: 

  • Ensure that only strictly necessary data is stored¬†
  • Ensure that this data was provided with the explicit and informed consent of each employee¬†
  • Provide modalities for facilitating the exercise of the data subjects‚Äô rights, i.e. right of access to and rectification of personal data, right to data portability, and right to withdraw consent.¬†

 4/ Risk management 

Personal Impact Assessments enable risk identification and management. A PIA contains:  

  • A description of personal data processing operations and purposes of the processing¬†
  • An assessment of the necessity and proportionality of the processing operations¬†
  • A risks assessment¬†

 5/ Proving compliance 

Your company will need to prove that its internal policies comply with the Regulation. Here is a list of documents to submit in the event of an inspection by supervisory authorities: 

  • The record of processing activities¬†
  • PIAs¬†
  • Policies relating to the organization of data transfers outside of the EU¬†
  • Employee consent form templates (and proof of consent)¬†
  • Procedures implemented to facilitate the exercise of data subjects‚Äô rights¬†
  • Subcontractor agreements¬†
  • Internal procedures regarding personal data breaches¬†

Cover picture: Joris Van Ostaeyen/iStock/Thinkstock


[Ebook] Business Transformation: A Considerable Challenge for the CHRO & CIO