How to prepare for GDPR in an HR (technology) context?

05 February 2018

Your form has been successfully submitted.

What does it mean for HR?

There’s no way around it, on May 25th, 2018, the General Data Protection Regulation will officially be enforced. So, let’s make sure you’re well prepared. The GDPR consists of a (large) set of guiding principles on how to store and process personal data. Working with personal data day in, day out, HR will definitely be impacted by this new regulation.

But other departments within your organization might be using personal information as well…

Have you thought about how many reports and excel files circulate within your company which contain personal information?

Are these files distributed via email/ Sharefile / Sharepoint /…?

To whom?

Do you have an archive to store them?

HR plays a key role in creating awarenessand providing the necessary change managementbefore, during and after the transition period. Always keep in mind that:

  • You need to be careful when handling personal information such as names, contact details, … even birthdays. Your data subject has the right to know what you are doing with the data, for what purpose you use it and how you are securely storing their data.
  • It’s your responsibility to keep the data safe as other people might want to access or (miss)use it.

The bottom line of GDPR is that people are in full control of their own data.

When storing/processing personal data of a person as a company, consider this data as a ‘property’ of the person that he/she grants you access to within well-defined boundaries.

How to work with your technology partners in a GDPR compliant way?

As your employees trust you in using their personal data for well-defined reasons, it is important that these well-defined reasons are also fully described and followed up when working with external partners that have access to the personal data of your personnel.
The external partners share this responsibility with you.

There are3 GDPR essentialswhen working with external partners:

1. Data Processing Agreement

Your HR Technology partner does not automatically process personal data, this depends highly on
the scope of the assignment. If data processing would take place, your partner may only process data
when explicitly requested, for the purpose defined by you, the customer. The partner does not collect or store personal data of its customers unless explicitly described in the data processing agreement.

This agreement does not only contain descriptive information like:

• What data is processed
• For how long will data be accessed, processed or stored
• How data will be destroyed or returned to the customer

It also defines certain obligations:

• How data will be accessed/processed/stored securely (organizational and technical)
• How security breaches will be dealt with
• Audit assistance obligations

2. Record of processing activities

Next to a data processing agreement, a record of the processing activities by your partner must be maintained for each process, describing all personal data that is processed:

• The name and contact details of the different processors
• Your partner’s representative and where applicable your internal Data Protection Officer
• The goals of the processing
• Technical and organizational security measures

3. Data breaches

If data breaches would occur, your partner needs to inform you about every data breach immediately after becoming aware of it.

These GDPR essentials when working with external partners provide a basis for a good partnership that keeps the data subject in full control of his/her data.

Related articles


September 3 2019

SAP SuccessFactors Q3 2019: What’s new?

We’ve explored the preview of the SuccessFactors Q3 release updates for you and made a selection of our favourite innovations. Before we dive into the most exciting release updates for Q3 we ...

read more

July 3 2019

Life as an intern at Emeritis

The past 4 months, we welcomed 2 newbies to our crew: Lars & Dries, both students at the AP Hogeschool in Antwerp. They chose Emeritis for their internship and we are really happy they did :-...

read more

June 18 2019

Employer Branding and the Employee Life Cycle

Employer branding is more than the communication flow from you, as an employer, to your future employee(s). Building a strong employer brand doesn’t stop after the contract has been signed,...

read more

'Emeritis' refers to 'Emeritis a Deloitte business'

© 2019 Wadsup. All Rights Reserved.