40% of Data Protection Officers (DPOs) and lawyers have taken advantage of containment to bring their companies into GPRD compliance, according to a data legal drive survey.
As a company, you need to process the personal data of your employees and candidates. You therefore need to set up a protocol for processing this sensitive data, which is governed by the GPRD.
The CNIL provides a set of guidelines to help comply with the processing of personal data, particularly in connection with personnel management.
Indeed, confinement has seen the introduction of new processes within companies, such as teleworking.
This article explains how to manage and comply with the GPRD and the tools at your disposal to help you achieve this more easily. In this way, you can avoid a fine of up to 4% of your company’s worldwide annual sales.
What is the GPRD?
The General Data Protection Regulation (GDPR) aims to regulate the processing of individuals’ personal data on European territory.
Personal data are processed when they are collected, recorded, stored and so on.
For example: A personnel register
Personal data refers to anything that enables a person to be identified directly (surname, first name) or indirectly (telephone number, customer number, etc.). A combination of several pieces of information can also be used to identify a person.
For example: address, date of birth and sports activities.
Why is personnel management concerned by the GPRD?
Personnel management is affected by the GPRD, as it involves handling the personal data of the company’s employees and applicants. As such, the General Regulations come into force, and the company must comply with them or face sanctions.
The data controller’s protocol must also comply with labor legislation, collective bargaining agreements, etc.
What personnel management data is affected by the GPRD?
Employee identification
- Identity: surname, first name, gender, date of birth, family situation, etc.
- Professional status: place of work, internal identification number, etc.
- Its work authorization: serial number, type, …
Assessing candidates’ skills at the time of recruitment
- Resume
- Cover letter
Employee career and training follow-up
- Career information: recruitment date and conditions, career simulation, …
- Professional assessment: interview dates, results obtained, etc.
- Training: diplomas, certificates and attestations, …
- Medical check-up records: dates of check-ups, job suitability, etc.
Payroll and related legal obligations
- Social security number
- Compensation plan and basis of calculation
- Etc
Validation of acquired experience
- Date of validation request
- Title or certificate of qualification
- Etc
Management of workplace accident and occupational illness declarations, work stoppages and other authorized absences.
- Doctor’s contact details
- Date of accident
- Etc
Situations giving entitlement to special leave or delegation hours.
- Data linked to the exercise of an elective mandate
- Firefighter missions
- Etc
Professional tools or equipment available to the employee in the course of his or her duties.
- Internal directories and organization chart
- Business diaries
- Electronic messaging
- Etc
Management of social and cultural activities implemented by the employer
- Identity of employee and beneficiaries
- Revenue
- Etc
Professional elections and meetings of staff representative bodies.
- Convocation
- Reports
- Etc
The fight against discrimination, compulsory employment, etc.
Note that the data collected must be up-to-date and of high quality. They have a limited shelf life.
6 ways to comply with the GPRD
Collect only the data you need
Data collection must meet specific objectives. In the context of personnel management, the objectives may be :
- Recruitment.
- Personnel administration.
- Payroll management and administrative formalities.
- Providing staff with professional tools.
- Work organization.
- Career and mobility monitoring.
- Training.
- Keeping mandatory registers, relations with employee representative bodies.
- Internal communications.
- Social welfare management.
- Audit, litigation and pre-litigation management.
As a data controller, you must obtain the consent of the persons concerned. However, because of the company/employee relationship, you have a legal basis for processing certain data in very specific situations.
These legal bases can be :
- Pre-contractual measures.
- Legitimate interest.
- Contract performance
- Legal obligation
Example 1: applications (resume and cover letter) are processed on the legal basis of pre-contractual measures
Example 2: management of internal directories and organization charts based on legitimate interest
Example 3: remuneration is calculated on the basis of contract performance
Example 4: the Nominative Social Declaration is based on the legal obligation.
Note that data collected for one purpose cannot be reused for another.
Transparency
A bond of trust is established between you and the person whose data you are processing. So you need to be clear about your intentions.
When processing personal data, you must inform the person of this action. There is no standard on how to keep the person informed.
Nevertheless, information must be “concise, transparent, comprehensible and easily accessible, in clear and simple terms”.
The CNIL (French Data Protection Authority) offers a few examples of information notices to help you here.
Respecting people’s rights
The persons whose data are processed have rights:
- The right to object to processing.
- The right of access, rectification and deletion.
- The right to limitation.
- The right to portability.
In the event of a request for consultation, rectification or deletion of data, you must be able to respond quickly.
Please note that the information covered by these rights does not include data for which consent has been given or data relating to the contract.
Supervising data management
Personal data cannot be accessed by all company employees. Access authorizations must be established.
Within the company, authorized persons are bound by their mission or function.
For example: people in charge of personnel management or payroll
Other organizations linked to the company may also have access to data as part of their mission or function.
- Employee representative bodies.
- Social insurance organizations.
- The employer’s audit and financial control entities.
- Service providers (catering, document archiving, etc.).
- Cultural and social organizations (social and economic committees, etc.).
Please note that the transmission of data outside Europe is subject to special rules.
Anticipate risks
You need to adapt data processing to specific situations, especially when sensitive data is involved, for example in the event of a work-related accident (social security number, etc.).
Ensuring data security
The company must ensure data security. To achieve this, it must implement a safety protocol.
- Raise user awareness through an IT charter, not forgetting to inform those involved in data processing.
- Authenticate users with correct logins and passwords.
- Manage authorizations , sort access and define the right profiles.
- Track access and manage incidents, data breach notifications, logging systems, etc.
- Securing workstations, locking procedures, antivirus, etc.
- Secure mobile computing, backup and encryption, synchronization, etc.
- Protect internal computer network, VPN, WPA2 protocol, etc.
ERP and GPRD: a winning duo?
The CNIL (French Data Protection Authority) offers a set of guidelines to support the protection of personal data relating to personnel management. What’s more, technological tools can provide real support in the compliance process.
This is particularly true of ERP (Enterprise Resource Planning), which makes it easier for your company to comply with European regulations.
By centralizing data
The fact that data is centralized in a single information system makes it easier to manage.
Reliable, up-to-date data
As mentioned above, the data collected must be of high quality and up-to-date. In an ERP system, data is constantly updated through the daily activities of employees within the software.
Manage authorizations
Personal data cannot be accessible to everyone. It depends on the mission and function. Through security accesses, ERP allows you to define authorizations.
To classify data
Data is sorted and organized using the various modules contained in the software package.
Easy access
Employees can easily exercise their rights (consultation, modification, etc.) thanks to simplified access to their personal data.
Transparency
Employees have a global view of the data held on them by the company.
Access to the software package via an authentication system
What’s more, the ERP is accessible via an authentication system, which notifies the user in the event of an attempted breach. This ensures the security of user-specific data.
VSA is GPRD compliant
Our vsa solution is a SaaS ERP that offers many features to facilitate RGPD-related processing:
- Data centralization.
- Safety management.
- Fine-tuned management of rights by personal data.
- Anonymization and archiving features.
Pour en savoir plus : VSA is GPRDcompliant. Simplify your GPRD!
To conclude on personnel management and the GPRD
The General Data Protection Regulation is an essential point to take into account in your internal processes, the choice of your service providers and subcontractors, or the choice of your IT tools.
Failure to comply with the GPRD results in a fine of up to 4% of your company’s worldwide annual turnover.
To help you achieve compliance, the CNIL offers a number of tools, including a reference guide to the processing of personal data in personnel management.
IT tools such as ERP offer features to simplify your GPRD compliance.
Read also