May 25, 2018 is fast approaching: It is the day on which the EU General Data Protection Regulation (EU-GDPR) will enter into effect. Many businesses are currently involved in intensive preparations for the new and tightened regulations on the protection of personal data. Their efforts often focus on data pertaining to persons outside of their organisations, such as customers, suppliers or job applicants. However, it is equally important to process employee data in compliance with data protection regulations.
Restricting access on personnel data
The personnel files of long-term employees can be rather comprehensive: They may hold recommendations from former employers, training certificates together with the employees’ results, records on performance reviews, their private addresses, mobile phone numbers and social security numbers, sick notes and much more. This short list already shows the sensitive nature of the data that is stored for each employee, and that access to it must be very restrictive.
Personnel files need to be digitised
EU-GDPR requires that personal data may only be processed within the intended purpose and only to the extent that is necessary or appropriate for this purpose. This means that the accounting department which is paying the salaries must only be authorised to access the data that is necessary to do so. A member of the HR department who is responsible for trainings will need access to acquired certificates, completed trainings and training needs resulting from performance reviews – but not more. And if the marketing department is sending an in-house newsletter to the home addresses of employees, it must be able to access the private postal addresses while all other private data needs to be hidden. These examples show that by May 2018, it will no longer be reasonably possible to keep personnel files in a physical archive.
Achieving data minimisation and purpose limitation with digital personnel files
Solutions that have been designed for the central and digital processing of personnel files, such as the Fabasoft Personnel File, allow to define precisely who may access what type of data held in the personnel file. Authorisations for different types of documents should be defined centrally and be applied to all documents automatically. This approach minimises the risk of human error. At the same time, making changes to the authorisations is easy and can be carried out in a central location.
Documents can also be given a dynamically generated watermark which may hold, for example, the user’s full name, the name of the organisation as well as the timestamp. Again, this reduces the risk of unauthorised use of information which is held in the digital personnel files of employees.
HR managers who are processing their personnel data digitally can therefore sleep restfully even though EU-GDPR is fast approaching.
My next blog will describe how the Fabasoft Personnel File meets the other basic principles of GDPR and will also highlight the business value it adds for organisations.