What does it mean for HR?
There’s no way around it, on May 25th, 2018, the General Data Protection Regulation will officially be enforced. So, let’s make sure you’re well prepared. The GDPR consists of a (large) set of guiding principles on how to store and process personal data. Working with personal data day in, day out, HR will definitely be impacted by this new regulation.
But other departments within your organization might be using personal information as well…
Have you thought about how many reports and excel files circulate within your company which contain personal information?
Are these files distributed via email/ Sharefile / Sharepoint /…?
Do you have an archive to store them?
HR plays a key role in creating awarenessand providing the necessary change managementbefore, during and after the transition period. Always keep in mind that:
- You need to be careful when handling personal information such as names, contact details, … even birthdays. Your data subject has the right to know what you are doing with the data, for what purpose you use it and how you are securely storing their data.
- It’s your responsibility to keep the data safe as other people might want to access or (miss)use it.
The bottom line of GDPR is that people are in full control of their own data.
When storing/processing personal data of a person as a company, consider this data as a ‘property’ of the person that he/she grants you access to within well-defined boundaries.
How to work with your technology partners in a GDPR compliant way?
As your employees trust you in using their personal data for well-defined reasons, it is important that these well-defined reasons are also fully described and followed up when working with external partners that have access to the personal data of your personnel.
The external partners share this responsibility with you.
There are3 GDPR essentialswhen working with external partners:
1. Data Processing Agreement
Your HR Technology partner does not automatically process personal data, this depends highly on
the scope of the assignment. If data processing would take place, your partner may only process data
when explicitly requested, for the purpose defined by you, the customer. The partner does not collect or store personal data of its customers unless explicitly described in the data processing agreement.
This agreement does not only contain descriptive information like:
• What data is processed
• For how long will data be accessed, processed or stored
• How data will be destroyed or returned to the customer
It also defines certain obligations:
• How data will be accessed/processed/stored securely (organizational and technical)
• How security breaches will be dealt with
• Audit assistance obligations
2. Record of processing activities
Next to a data processing agreement, a record of the processing activities by your partner must be maintained for each process, describing all personal data that is processed:
• The name and contact details of the different processors
• Your partner’s representative and where applicable your internal Data Protection Officer
• The goals of the processing
• Technical and organizational security measures
3. Data breaches
If data breaches would occur, your partner needs to inform you about every data breach immediately after becoming aware of it.
These GDPR essentials when working with external partners provide a basis for a good partnership that keeps the data subject in full control of his/her data.
January 5 2015
SAP middleware - SAP AIF
In our last blog post about SAP middleware we discussed the problems that complex mappings in PI can create. In this blog post we will discuss the SAP Application Interface Framework as one o...read more
May 2 2015
Fiori Leave Request at Pidpa
The objective of the project was to replace the legacy leave request application and to allow the population on any device (desktop, tablets and mobile phones). The following features were i...read more