IAPP CIPT – Lawful Processing of HR Data, Contracts & Recruiting Part 4

13. Contracts of employment – what to look for

Hi guys. Let’s discuss about the contracts and what to look for. The GDPR has introduced a new principle of accountability and employers now have a positive obligation to evidence their compliance with the data protection principles. As part of this exercise, employers should make time to review their contracts of employment and also the employee data protection policies and practices. To get themselves what we call GDPR ready, employers should as a minimum do the following review contracts of employment and consent forms and create the data protection policy.

We will discuss about data protection policy in the following lesson so why you need to review contracts? You need to do that in order to, one, ensure any data protection provisions to remain included in employment contracts are clear, specific and plainly worded and two, ensure that if consent is to be requested, it is sufficient for the intended purposes. The GDPR will introduce a higher hurdle for obtaining consent to process personal data requiring that consent must be unambiguous, specific, informed and freely given via a clear restatement of affirmative action.

And we discussed about that. The usual blanket consent in employment contracts and opt out mechanisms for obtaining consent are unlikely to be effective, as the general wording in the clause will be insufficient to comply with the GDPR requirements and the employee, particularly one in a more junior role, is unable realistically to choose to reject one particular clause. Before signing the employment contract, employers should consider instead relying on a different valid ground for processing employees personal data, such as where the processing is necessary for the performance of the contract or for the purposes of the employer’s legitimate interests.

This is because an employee will be able to withdraw consent at any time to the processing. If the employer relies on consent as a valid ground for processing data which would create significant difficulties for the employer where consent is still required, such as when obtaining occupational health reports, then employers should obtain separate consents outside. Of the contract of employment to deal with the processing of data and particularly sensitive personal data, to be known as special categories of data under the GDPR for specific purposes. Clear records documenting the content and also how it was obtained.

That means to be able to demonstrate the processing is in accordance with the GDPR will become all the more important. As such, having clear technical and organizational processes in place within the HR teams is a must and such processes will need to be kept under review to be compliant. Employers should be mindful that if consent is sought but the employee refuses, then the employer is unlikely to be able to revert to another basis for processing. Hence, employers should think carefully before seeking to rely on consent. Further, data obtained by consent carries additional rights for all the individuals.

14. Data Protection Policy

Hi guys. Let’s discuss about Data Protection Policy a data protection policy should ensure that your employees understand why data protection is important, what personal data is, and the consequences of noncompliance. With substantial penalties for bridge, including fines of up to 4% of the annual worldwide turnover or 20 million. It is important to have a comprehensive data protection policy alongside any additional privacy notices, which explains your data protection responsibilities to your employees, informs them about your collection and use of their personal data, on what basis and why, and ensures that each person is aware of their individual responsibilities when handling personal data as part of their role.

Policies covering, for example, CCTV, social media and It, which are employee facing, will need to be revisited as well. In order to satisfy the accountability requirement. However, there must be more than a paper exercise. Employees must at the least be trained and compliance kept under review. The policy explains in plain language the data rights of employees. The GDPR clarifies and strengthens existing data rights of individuals and creates some powerful new rights. Individuals will need to be informed of their data rights in clear and plain language, which is easy to understand and cannot be hidden by employers. Again, having clear processes in place to facilitate these rights will be key to not breaching the GDPR.

In reviewing your procedures to ensure that discover all the data rights of your employees, you will need to review the capability of your systems to allow you to meet your obligations. For example, how easily will you be able to locate and delete data when asked for personal data to be deleted? In meeting a request for data portability, can you provide the data in a structured, commonly used and machine readable form?

The policy should include details about the employer’s systems for dealing with compliance, including applying the data protection principles. Employers should put in place data protection, operating audit and record systems to demonstrate compliance, such as the details of the standard expected of staff responsible for processing data or mandatory training, including details of those responsible for overseeing the completion of such training or how, when and by whom regular compliance checks will be carried out to ensure the policy is being adhered to. In practice, the use of privacy impact assessments and privacy by design should also be clearly communicated.

In turns, employers will need a system for ensuring data held, including as part of the systems is accurate and up to date and not kept for longer than is necessary details. The employer systems for detecting and dealing with data breaches should also be included in the policy. Again, the policy should set out clear guidelines on what amounts to a data breach and the procedure to detect, report and investigate any breach, as well as guidelines for appropriate record keeping.

Also, the policy should set out clear rules and guidelines about how an individual’s right to be forgotten will be complied with. The GDPR will provide employees with a new right to require their employers to delete personal data in circumstances where a the data is no longer necessary for the purpose in relation to which it was collected b consent to processing has been withdrawn if the employer has relied on the employee’s consent to process their personal data.

C the personal data was processed in breach of the GDPR. D the personal data has to be deleted to comply with the legal obligation or e the employee objects to the processing. And there are no compelling grounds to trump that objection. Such as the data being required in legal claims involving the employer? The policy should also provide details about a process via which employees can withdraw their consent to certain types of data processing. If you are relying on an individual’s consent to process their data, that consent must be GDPR compliant. Employers cannot rely on pre-ticket boxes or silence to assume consent.

The rights to withdraw consent should be clearly highlighted to employees. Employers will be obliged under the GDPR to ensure that the process of withdrawing consent is as straightforward for the employee as the process for giving it. Managers and HR teams will need to understand this in order not to inadvertently make the withdrawal process more or more difficult. The policy also sets out details of the employer’s process for dealing with data subject access requests or SARS. Employers should take note of the additional information which must be provided and new requisite time frame for responding to data. Subject access requests under the GDPR, for example, without undue delay and within one month or three months in. Cases which can be shown to be particularly complex and also set out a clear process which will assist it to comply with this requirement.

A specific subject access policy and training for those who will dealing with them under the GDPR would be also advisable. Any template, subject access request, acknowledgement and response letters will need to be updated accordingly. The policy needs to provide details of the organization’s nominated data protection officer, or DPO. Public sector employers and private employers who process sensitive personal data on a regular, on large scale basis must appoint a DPO who will be responsible for providing compliance advice and bridge notifications. Also, other employers will benefit from appointing a suitably trained individual as a data champion.

Any appointment into a DPO capacity will carry with it mandatory obligations under the GDPR which would not apply to a data champion. Given the scale of the forthcoming changes and the consequences of breach. Employers and third party HR service providers will benefit from conducting a thorough audit of current data processing systems, practices and documentation to determine what changes are required. In the end, the policy should state when and how international transfer of data take place. .

Employers who transfer personal data internationally, including where an employer uses equipment or resources located in another country, will need to inform employees about how and when this occurs and the safeguards in place, as well as where those safeguards can be found. Employers need to ensure that employees do not allow personal data to be inadvertently transferred to another country without the appropriate safeguards being in place and the correct process being followed to ensure the transfer is compliant. The constant use of email in today’s workplaces could easily give rise to such a breach.

15. GDPR terms and how they relate to recruiting?

Hi, guys. In this lesson, we will define how all the topics and rights discussed before apply to HR recruiting and how this process is affected. What are the basic GDPR terms and how do they relate to recruiting? In respect to the recruiting function, the GDPR refers to candidates or data subject dates are the data subjects because they can be identified through personal data they give to companies. For example, their resumes may include their names, physical addresses, or phone numbers. The GDPR exists to protect this kind of data. Members of hiring teams are also considered data subjects under GDPR, but their own data will not be processed in the same extent that candidate data will.

Employers or Data controllers employers or recruiters who serve as their company’s main representatives to candidates determine the purpose of collecting candidate personal data. This makes them the data controllers who are fully responsible for protecting candidate data and using it lawfully. And then it’s the Applicant Tracking System or ATS and other recruitment software services or data processors. Your ATS is a data processor because it processes candidate data on behalf of your company, following your company’s instructions. Data processors often have sub processors, and we discuss more about subprocessors in our course related to GDPR, cloud service providers, or CSPs.

So how does the GDPR affect recruiting? Here are a few key directives of GDPR that affect the daily work of recruiters and also the hiring teams. One you need legitimate interest to process candidate data. GDPR obliges you to collect data only for specified, explicit and legitimate purpose. This means, for example, that you can source candidate data as long as you collect job related information only and you intend to contact source candidates within 30 days.

Two you need to have candidate consent to process sensitive data. GDPR requires you to ask for consent when you want to process data, like disability information, or cultural or genetic or biometric information, or even information gathered for a specific survey or a background check. In these cases, you must ask for consent in a clear and intelligible way and provide candidates with clear instructions on how to withdraw their consent if they wish to. You need to be transparent about processing candidate data. Companies must have clear privacy policies, and recruiters are obliged to make those policies available to candidates. You must also disclose where you store candidate data, for example, your ATS, and state that you will use this data for recruitment purposes only. You need to assume responsibility for compliance. This is accountability.

Your company needs to be able to demonstrate compliance with the GDPR. For example, under GDPR, your company is responsible for who it does business with, for example, an ATS provider or sourcing services. If your contractors fail to comply with the law, your company is accountable as well. Also, you are obliged to comply when candidates exercise their rights under GDPR. Five candidates have the right to be forgotten.

Candidates have the right to ask you to delete and stop processing their personal data. You must locate every place that you keep their information for example, spreadsheets and delete it within one month. After receiving the candidates request. Six candidates have the right to access their data and ask you to rectify it. Candidates have the right to ask what data of theirs you hold. They can also request that you make corrections to any inaccuracies and rectify that you must grant both requests within one month and provide candidates with a free electronic copy of their own personal data.

16. Map your recruiting data

Hi, guys. In this lesson, we will discuss about mapping your recruiting data. One of the first things that your company must do to prepare for GDPR is to conduct a companywide data audit. This process will show what kind of data your organization collects, how, why, and from where. As far as as recruiting data goes, you must be clear about where and how you find and store candidate names and contact details, as well as other identifying information.

Here are some questions you should be able to answer when the data audit is completed. One what are our candidate sources and how do we collect personal data? An example would be gathering candidate data via application forms linked from your job ads. Two what kind of data do we collect and how much of it do we actually use? An example is asking candidates to provide their email, home address and phone number.

You must be certain that all this information is needed for your recruiting, which is called legitimate interest. Otherwise, you shouldn’t be collecting it. Three how do we use personal data in our operations? An example would be using candidate data to screen candidates and judge their suitability to progress to interview. Four where do we store and who has access to the data? An example would be storing candidate data in spreadsheets or an ATS and sharing them with hiring things. Five how does data flow within our company across processes, functions and departments? An example would be how candidate information is transferred from sources to hiring managers, to hiring team members so they can contact those candidates. And six, what are our processes for sharing, transferring, modifying and deleting data? Again, if you use predischief to track candidate data, what process do you have for correcting, inaccuracies or sharing the documents?

• Category: Uncategorized