- Knowledge and Opinion
07 August 2017
New General Data Protection Regulation: what you need to know
Neue Datenschutz-Grundverordnung: Das müssen Sie wissen (German)
The new EU General Data Protection Regulation will enter into force on 25 May 2018. It revises how personal information must be dealt with. Although many of the paragraphs remain based on the applicable German law to a great extent, many human resources managers, personnel service providers and recruitment agencies are unsure of how they can prepare themselves for the new legislation. What you need to know about the new General Data Protection Regulation.
There is currently great uncertainty regarding the forthcoming revision of data protection legislation in the field of human resources. Many questions remain unanswered. For example: can applicants’ data still be stored? And if so, for how long?
The content of the new General Data Protection Regulation is not easily comprehensible.
This is true even although human resources managers generally have a background in business studies or a similar subject and are accustomed to reading specialist texts. Many begin to flounder when reading the legislation, as the extremely distinct German legalese is very difficult to understand clearly for those not familiar with the field. Nonetheless, even if the legal texts are admittedly complex and not easily accessible, companies would be ill advised to simply bury their heads in the sand and ignore the forthcoming changes.
General Data Protection Regulation: A brief overview of the main changes
However, this is precisely what many firms do, as a Veritas study revealed not quite six months ago. According to this study, more than half of companies (54 percent) are not prepared for the new General Data Protection Regulation. This is fatal. If the requirements of the General Data Protection Regulation are not implemented correctly, companies can expect to encounter significant legal problems. This particularly affects HR, where sensitive personal information is retained. We have therefore provided a brief overview of the main changes below. For example, from May 2018 onwards, employees must ensure that, when applying, candidates can send in their personal information via an encrypted connection. After all, if sent in unsecured form, a great deal of sensitive information regarding a candidate could fall into the wrong hands. Cybercriminals who acquire this data could then use it to cause significant damage or loss to the candidate. This ranges from hacking the candidate’s email address to accessing personal bank accounts and undertaking actions to damage the candidate’s reputation. Consequently, those using an applicant tracking systems must be sure to ask the provider whether data transfer in recruiting takes place using SSL encryption, for example, and whether this is in accordance with the latest standards.
Information on the type of data collection is mandatory
Furthermore, the General Data Protection Regulation stipulates that, with immediate effect, companies are obliged to inform candidates on the type of data collection after receiving their applications. For example, the applicants must be notified of the purpose for which the information will be processed and the period of time for which it will be retained. Many companies already take this in account and therefore arrange for candidates to be sent an automatic confirmation of receipt. However, given the new regulation, it is worthwhile to take another look at the template, so as to establish whether it actually contains all of the necessary information.
Data protection: for how long can personal information be stored?
We now come to another question that is often asked in the field of human resource management: for how long can personal information be stored? Nothing is changing here. At present, data can already only be stored until the application process is completed. This will continue to be the case. However, all legislation includes exceptions: accordingly, it is theoretically possible that a legal dispute with a rejected candidate may still arise some time after the post has been successfully filled. Companies may therefore retain the data in their systems for as long as they fear that they could still hear from a candidate’s lawyer. What is more, there is no unambiguous legal statement regarding the maximum permitted retention period. In general, however, pertinent recommendations from experts indicate that the data should not be stored for longer than six months. Anything beyond this period should be secured with a declaration of consent from the candidate.
Purpose of data storage
We now come to Article 15. This now stipulates that, from May 2018 onwards, applicants can request to know the purpose for which their profile information is being retained, at any time. This makes comprehensive documentation vital. However, please also always consider saving comments on the reason for the data retention in the applicant management system. This is admittedly tiresome, but recommended. After all, with applicant data protection, the burden of proof always lies with the employer, or with the personnel services provider or recruitment agency. In the event of a legal dispute, these entities must be able to prove that they have done everything possible to protect candidates personnel data in an appropriate manner.
What penalties can be imposed for data protection violations?
If this is not the case, they are at risk of painful penalties, which have been further increased in the EU General Data Protection Regulation. In fact, those breaching the provisions of the Regulation will be liable to pay fines of up to 20 million euros or four percent of their global turnover. The changes that will apply to companies as far as data protection is concerned should therefore certainly not be taken lightly. Anything but! For the first time, violations of the data protection provisions could threaten the existence of the company responsible.
What companies should do now
What must be done now? Companies who maintain their applicant data management system on in-house servers should carry out detailed checks to determine whether this satisfies all of the security guidelines. There may be a need for new processes and standards, and where applicable these must be put in place before May 2018. And what about those who use software from the cloud? Should the data be deleted as a precaution? No. In principle, cloud operators are responsible for the security of their cloud, and the majority handle this responsibility with care. However, there are also black sheep. Consequently, if they have any outstanding questions, users should certainly contact the cloud solution provider directly. Better safe than sorry.
What about cloud systems?
The cloud solution provider should be able to provide the requested information on all critical areas of data protection. For example, it is important that the solution providers are not operating their clouds with outdated software versions that do not guarantee sufficient protection. This is negligent and makes it too easy for criminals to steal sensitive data or influence business processes. But do not panic: in general, the operators’ data centres are up to date with the latest data protection. This is not only because the most recent firewalls and security software are doing their jobs, but also because the processes within the data centres of reputable cloud companies are monitored and certified by external parties. When choosing a provider, for example, potential software users should take note of certificates such as the ISAE 3000 report, which HR solution provider Carerix possesses. But as stated above: asking a few too many questions costs nothing and protects against high penalties in the case of doubt!