Presentations from the event are available for Beltug members (after login):
The GDPR isn’t clear yet, so keeping compliant right now is a particular challenge, Peter Van Dyck, Partner at Allen & Overy started. The Belgian Privacy Commission is still working on enhancing transparency and clarity. But one thing that is clear: there's no room for 'grandfathering'! You have to review your data and processes thoroughly and adapt to the new regulation. Have a look at slide 4 for the GDPR timeline.
Peter gave a brief refresher course on GDPR and an overview of what's new. Fines can rise as high as 4% of a company's worldwide turnover, and while that’s a ‘maximum’, non-compliance carries a significant risk. He noted that appointing a DPO is only relevant when gathering data is your company’s main activity. So even though your employees are crucial to your business, 'employing people' may not be your core business. On the other hand, if you do handle large amounts of data, it may be advisable to appoint a DPO after all.
Peter then took us through the different stages of an employment cycle, starting with the recruitment stage. He gave us insight into GDPR-proofing your recruitment policies:
Moving on to the employment stage, Peter emphasised that generally the same rules apply as for the recruitment stage. For the concept of profiling, he explained that the decisions must be automated, and based on all kinds of data. There are two main consequences:
1) the employee can protest a decision, so that this decision can be reviewed with HR (e.g. a salary raise)
2) you need to be very extensive in the information you share with your employees on how the decision process works and how the algorithm is built.
The final employment stage is the exit. Important rules include the data retention period and the right to be forgotten (have a look at slide 14 for the details).
Peter concluded his talk with a few tips on how you can prepare (see slides 17-19):
We then moved on to the 'how' of the matter: how to implement the theory on your ICT environment? Jean-Pierre Bernaerts, CIO at Indaver, emphasised the accountability principle:
25 May 2018 isn't that far away, and Jean-Pierre shared a few quick wins for anyone who isn’t well on the way already:
Jean-Pierre illustrated two scenarios (See slides 6-8):
1)Your HR systems are run on premise (own development)
2)Your HR Systems are run in the cloud (third-party development)
As a general rule, he shared, make sure to build in audit trails in your authorisation and authentication processes - in other words, be sure to have evidence. And at the very least, have all administrators (technical and functional/controller and processor) sign a document that they are aware of their responsibilities, with consequences/penalties if they breach the contract. This way people are fully aware they can be penalised. "And what about your CV database?", Jean-Pierre wondered. Slide 10 tells you what to do to on your path to GDPR compliance. Keep in mind: you can't breach a law to comply with another law!
We finished this highly interactive session with an example letter that the data subjects might use to request information about the data collected on them. This example shows how a lot of work can go into answering a simple question from an employee. And those letters will come, Jean-Pierre emphasised, so be prepared! For starters, have a good data inventory and try to automate as many steps as possible.
80 companies gathered for the @Beltug session on a GDPR-proof HR policy, audience a mix of HR and ICT managers— Danielle Jacobs (@daniellebeltug) May 17, 2017
Big challenge for hr is to write policies in easy to read for all employees #beltug— Mic V Adam (@micadam) May 17, 2017
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login