The GDPR requires all companies operating in the European Union to adopt its policies, processes and practices to manage the personal data of their customers, users, suppliers and employees. The objective of these regulations is to standardise the rights of European Union residents relating to the fair and secure use of their data.
HR teams are particularly affected by these standards. As the data controller for your employees, it’s your responsibility to ensure that the way your organisation handles and stores their personal data complies with the GDPR’s standards. Ciphr’s HR solutions are designed to support your HR teams achieve GDPR compliance.
HR software is particularly valuable for organisations that collect and store employee data. Outdated data management methods, such as insecure paper or Excel-based filing systems, place your organisation at risk of security breaches. Recruitment software can also help you better manage data belonging to job applicants – which can often be held insecurely, and disjointedly, in email mailboxes or on paper records. An integrated HR and recruitment solution provides a seamless, secure and reliable data management solution that supports data security through the employee lifecycle.
Ciphr proudly offers off-the-shelf GDPR and information security eLearning courses through our subsidiary company, Marshall E-Learning, to help you deliver GDPR training across your organisation.
As a trusted processor of our customers’ data, Ciphr takes numerous steps to ensure that the appropriate technical measures are in place to deliver a secure environment for our solutions. We are always looking to enhance our security measures and have incorporated multiple layers of encryption technologies, protective monitoring, and auditing solutions.
Our applications and infrastructure are regularly assessed by both internal and external vulnerability and penetration-testing programs using our internal Certified Ethical Hacker (CEH) resources, as well as through a partnership with several external CREST-accredited penetration testing organisations.
Ciphr’s internal security forum, led by our head of information security, meets regularly to review all the security measures we have in place – including associated policies and procedures – to ensure they are maintained appropriately. The forum also creates and delivers regular training and awareness sessions relating to all areas of information security for all Ciphr employees. All Ciphr employees are also background checked to a minimum of the BS7858 standard.
All our technical measures, policies and procedures are externally audited by the British Standards Institute (BSI) each year to validate our ongoing compliance with the Information Security Management System (ISO27001:2013) framework, which we have maintained since 2014.
To ensure we are fully compliant with the GDPR we have invested in external training to ensure we have certified GDPR practitioners within the security forum. We have also conducted specific audits to confirm our data and documents, including policies and procedures, are compliant with both the ISO27001:2013 framework and the GDPR.
"We’re entering a period now where HR professionals need to focus on enforcing the policies they’ve put in place. While the majority of organisations have done the necessary work to write policies, create new procedures and train staff, there remains a question over whether data-protection principles have actually been built into the design of the organisation, to ensure they are being adhered to consistently. It is proof of an intrinsic culture of data protection that the Information Commissioner’s Office (ICO) would be looking for during an inspection."
- Claire Williams, chief people officer and data protection officer, Ciphr
Manage applicants’ data more effectively
Download data, request consent extension, anonymise records and delete data via the dashboard
Document consent against employee or applicant records where you have determined that consent is required
Choose to anonymise leavers’ records instead of deleting them, so you retain access to useful metrics while remaining GDPR compliant
Create GDPR users
Restrict access to relevant fields for users with responsibility for GDPR
Create automatic notifications
Set up auto reminders to re-validate consent where required
Enable self-service access
Comply with subject access requests (SARs) more easily by granting access to data for leavers and current staff, or through a data protection report
Define data-retention periods
Decide when leavers’ records will be flagged for deletion or anonymisation
Implement policy acceptance
Confirm staff have read your GDPR-related policies
Ensure your organisation and employees comply with the GDPR’s requirements in every aspect of their work by asking them to complete mandatory GDPR eLearning courses. Our off-the-shelf GDPR eLearning courses, developed by the experts at Marshall E-Learning, help learners to understand crucial data protection concepts, the GDPR’s objectives, and the responsibilities of organisations to comply with the GDPR.
These SCORM-compatible courses are quick and easy to implement via your chosen learning management system, and are regularly refreshed so you always have access to up-to-date content.
The General Data Protection Regulation (GDPR), which came into effect on 25 May 2018, is a set of standards that all organisations in the EU are required to comply with. These regulations govern how personal data is collected, processed, and stored. Any organisation that handles data belong to a resident of the EU adhere to the GDPR’s requirements, or face considerable fines.
HR is the keeper of significant amounts of employee personal data, but the onus for maintaining data in line with the GDPR is typically shared among HR and information security teams, and, of course, the appointed data protection officer (DPO). Employers must put in place policies and procedures to ensure employee (and applicant) data is collected, stored and processed in line with the GDPR’s requirements, and that they respond to subject access requests (SARs) within the required timeframe.
Types of employee data covered by the GDPR can include, for example, job and pay records, addresses, next-of-kin information, details of any medical conditions or disabilities, the results of background checks or right to work checks, and any other personally identifiable information. Because HR, HR managers, and HR practitioners are usually the guardians of an organisation’s employee records, they are responsible (alongside information security teams and the DPO) for compliance with the GDPR in relation to personal, sensitive employee data. HR practitioners and HR managers must ensure they have a lawful basis for collecting and storing data related to employees and job applicants, and that the data is stored only for the required and agreed period (if permissions for data have expired, consent must be captured again, or the data must be deleted or anonymised). They may also have to respond to subject access requests (SARs) from former or existing employees, who, under the GDPR, have a legal right to request a copy of all the personal data that the organisation holds about them.
HR managers must ensure that the technology they use enables them to collect, store, and process employee and applicant data in line with the GDPR. Look for tools such as Ciphr’s HR software, which has an in-built data retention dashboard that enables you to monitor permissions, and to delete or anonymise data as required. Self-service HR software such as Ciphr’s also enables organisations to give employees direct access to their personal data, so they can keep it up to date. Discover how Ciphr’s HR software can protect employee data
The GDPR is now front of mind when selecting new HR software, and is an important consideration when mapping processes and reasons for data collection and processing. HR professionals need to assess and ensure that personal data is being collected, stored and processed in accordance with the GDPR at every stage of the employee lifecycle. HR is also often responsible for creating an ‘information security-aware’ culture within organisations, which means HR teams need to be familiar with the intricacies and nuances of the regulations. Off-the-shelf eLearning courses such as Marshalls’ information security smart eLearning course (available as part of Ciphr’s compliance eLearning pack) help to ensure that all new and existing employees are aware of the importance of information security, and their responsibility to support organisational compliance with the GDPR.
The GDPR is important in HR for many reasons: the impact of a data breach can be devastating for individuals, as well as the organisation as a whole. Reputational damage, compromised security, and the financial implications of a GDPR data breach fine are significant. The maximum fine for the most serious violations of the EU GDPR is €20 million or 4% of the organisation’s global annual turnover, whichever figure is higher. Infringements of the UK GDPR and Data Protection Act (DPA) 2018 have a maximum fine of £17.5 million or 4% of annual global turnover, whichever figure is higher. The Information Commissioner’s Office (ICO), which supervises adherence to the GDPR in the UK, can also take actions such as issuing warnings; imposing a ban on data processing; ordering data to be rectified, restricted, or erased; and suspending the transfer of data to third countries.
HR professionals have a significant role and responsibility to play in terms of protecting employee data – particularly sensitive, personal data. This might, for example, include information about an employee’s health and mental wellbeing. The GDPR relates to data and information security; it is therefore more typical that this responsibility rests with IT teams and information security professionals.
We would strongly recommend that you seek your own legal advice if you are unsure about the implications of data protection laws on your business.
The information contained on this website is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. While we have made every effort to ensure that the information provided on this document is correct and up to date, Ciphr makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. Ciphr will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information, or from any action or decisions taken as a result of using this information.