Creating a GDPR-proof HR policy. Takeaways from the Beltug N-sight of 17 May 2017


The requirements and rules in the European General Data Protection Regulation (GDPR) are vast and elaborate.  For this session, we zoomed in on the HR point of view, looking into companies’ sensitive data on employees and job applicants.


Presentations from the event are available for Beltug members (after login):


The GDPR isn’t clear yet, so keeping compliant right now is a particular challenge, Peter Van Dyck, Partner at Allen & Overy started.  The Belgian Privacy Commission is still working on enhancing transparency and clarity. But one thing that is clear: there's no room for 'grandfathering'! You have to review your data and processes thoroughly and adapt to the new regulation. Have a look at slide 4 for the GDPR timeline.


Peter gave a brief refresher course on GDPR and an overview of what's new. Fines can rise as high as 4% of a company's worldwide turnover, and while that’s a ‘maximum’, non-compliance carries a significant risk. He noted that appointing a DPO is only relevant when gathering data is your company’s main activity. So even though your employees are crucial to your business, 'employing people' may not be your core business.  On the other hand, if you do handle large amounts of data, it may be advisable to appoint a DPO after all.


Peter then took us through the different stages of an employment cycle, starting with the recruitment stage. He gave us insight into GDPR-proofing your recruitment policies:

  • Purpose limitation: make sure to properly reflect on what you want to achieve with the data you gather and document this (example: you want to achieve a fit with both the job and the company culture - is asking a person's music preference relevant?).
  • Transparency: Don't try to be sneaky when gathering data from your applicants!  As a general rule, the more transparent you are, the more you will be allowed by the Privacy Commission.
  • Retention period: You need a good argument for why you didn’t delete the CV and data of a candidate you didn't hire in a timely manner.
  • Criminal record checks: Consent isn't enough to perform a background check on your candidates - you need legal grounds to do so!


Moving on to the employment stage, Peter emphasised that generally the same rules apply as for the recruitment stage. For the concept of profiling, he explained that the decisions must be automated, and based on all kinds of data.  There are two main consequences:

1) the employee can protest a decision, so that this decision can be reviewed with HR (e.g. a salary raise)

2) you need to be very extensive in the information you share with your employees on how the decision process works and how the algorithm is built.


The final employment stage is the exit.  Important rules include the data retention period and the right to be forgotten (have a look at slide 14 for the details).


Peter concluded his talk with a few tips on how you can prepare (see slides 17-19):

  • Evaluate your data protection policies and procedures
  • Evaluate your communication with data subjects
  • Evaluate your data processing activities


We then moved on to the 'how' of the matter: how to implement the theory on your ICT environment?  Jean-Pierre Bernaerts, CIO at Indaver, emphasised the accountability principle:

  • Responsibility
  • Ownership
  • Evidence (document, document, document!)


25 May 2018 isn't that far away, and Jean-Pierre shared a few quick wins for anyone who isn’t well on the way already:

  • Start an awareness program for all stakeholders
  • Enable disk encryption for laptops
  • Define policies for cloud storage (e.g. Dropbox), internet use, e-mail and the use of personal data in general
  • Document Authorisation & Authentication principles (who may access what personal data, why, how and who decides)


Jean-Pierre illustrated two scenarios (See slides 6-8):

1)Your HR systems are run on premise (own development)

2)Your HR Systems are run in the cloud (third-party development)


As a general rule, he shared, make sure to build in audit trails in your authorisation and authentication processes - in other words, be sure to have evidence.  And at the very least, have all administrators (technical and functional/controller and processor) sign a document that they are aware of their responsibilities, with consequences/penalties if they breach the contract.  This way people are fully aware they can be penalised. "And what about your CV database?", Jean-Pierre wondered.  Slide 10 tells you what to do to on your path to GDPR compliance.  Keep in mind: you can't breach a law to comply with another law!


We finished this highly interactive session with an example letter that the data subjects might use to request information about the data collected on them.  This example shows how a lot of work can go into answering a simple question from an employee. And those letters will come, Jean-Pierre emphasised, so be prepared! For starters, have a good data inventory and try to automate as many steps as possible.

















Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview