Employee portal: a tool to protect personal data in HR

Automating human resources procedures and at the same time protecting personal data in HR is possible with Uniksystem's Employee Portal, which collects, stores and eliminates data in compliance with the GDPR.

Maintaining compliance with the General Data Protection Regulation forces companies to be aware. Failure to comply implies high fines, in addition to the impact on the image with stakeholders and, of course, public opinion. The Employee Portal allows you to protect personal data in HR.

The RGPD is a European regulation that considers the protection of individuals in relation to the processing of their personal data as a fundamental right. The legislation is complex, so adopting technological solutions that have, in principle, ways to collect, store and delete data in an automated way and in accordance with the rules, is one of the ways for your company to protect itself and protect its employees and customers.

GDPR: regulation that aims to protect personal data in HR

The purpose of the GDPR, approved by the European Parliament and the European Council, is to harmonize and ensure the defense of the fundamental rights and freedoms of individuals, while also guaranteeing the free movement of personal data between the States of the European Union. As a regulation, it was integrated into national legislation in a direct way, without the need to be transposed (as it would be in the case of a Directive), on 25 May 2018.

The regulation applies to companies in all sectors, from services, to industry, to agricultural companies, which have to pay particular attention to safeguarding their customers' data and also to protect personal data in HR of their employees.

From the recruitment process, to the data used to access the organization's information systems, to the registration of biometric data (such as the use of a fingerprint to access the premises), to the capture of images in the workplace by security cameras and naturally going through the processing of salaries and the handling of information relevant to the entire relationship between the employee and the company, everything has to be carefully taken care of. Organizations must ensure that data is kept securely and that it is not used for any purpose other than the one for which it was collected.

It is necessary to find a balance between what technology allows to do and the risks of collecting and processing personal data, so as not to compromise the good faith of those who provide this data.

When company data is compromised, it is necessary to communicate to the competent authorities – in Portugal, the National Data Protection Commission (CNPD), which has the functions of Control Authority of the regulation –, as quickly as possible.

A good approach to protecting personal data in HR encompasses three main pillars: legal, auditing and implementation of the organizational requirements of companies, to which is added everything related to the underlying Information Technologies.

How to achieve GDPR compliance?

If, in 2018, the big question for companies was how to start working to achieve GDPR compliance, today companies want to know what remains to be done and what degree of compliance they have already achieved. Some essential aspects contribute to the successful implementation of the GDPR:

  1. The involvement of top management, without which it is not possible to have an adequate GDPR approach;
  2. The identification of the degree of compliance must be done through an audit to identify the main assets and residual risks related to information security and data protection. This step is essential to understand which aspects should be given more attention when trying to achieve compliance (vulnerabilities, impact on the company's image and in terms of administrative offences);
  3. Assessment of the company's compliance with the RGPD, accompanied, subparagraph by subparagraph of the legislation. The objective is to check how the company is doing against each point and what measures they have to take to ensure compliance. Here, the Employee Portal is a precious help, as it includes the GDPR rules as a base, to protect personal data in HR.

Transversal, in all companies, it is essential to pay attention to aspects related to the appointment of the Data Protection Officer (DPO), management of security incidents, the relationship with subcontractors, impact assessments for data protection.

If staying in compliance is in itself a good reason for the company to be relaxed, it is essential to remember that the fines are high. In less serious cases, the fine may amount to EUR 10 million or 2% of an organization's annual worldwide turnover, whichever is the greater. In more serious cases, the fine can reach 20 million euros or 4% of annual worldwide turnover, whichever is higher.

What are the special precautions to be taken to protect personal data in HR?

There are three key moments in the processing of personal data in the relationship of an employee with the Human Resources of organizations:

  • during recruitment and selection;
  • during the working period;
  • in the period after the termination of the employment contract.

For each of these moments, it is necessary to implement measures taking into account the legal framework, auditing, information security and measures that have to be applied in companies, such as policies, procedures, training or awareness of workers. Law firms also recommend semi-annual or annual audits to reassess whether progress is being made towards compliance and whether steps have not been taken.

What is the relevant information to collect about jobseekers?

It is important for the development of the work of Human Resources to confirm relevant data on the past of employees, such as the professional and academic training of candidates, or the veracity of former professional positions (background check). However, it is not relevant to collect data from the private sphere of the future employee's life that have no influence on the performance of their duties.

It is the case of requesting criminal records or declarations of non-debt to social security and finances, during the recruitment process. This documentation shall not influence your professional performance. Of course, in specific cases, such as working with children, in security forces or in airports, it can be relevant. The important thing is that only information that is strictly necessary for the performance of that function is collected, which must be evaluated on a case-by-case basis.

What are the main concerns of the data protection officer in relation to Human Resources?

Firstly, due to the need for segregation of functions, the Data Protection Officer should not be responsible for Human Resources.

In addition, the DPO figure must have the necessary technical skills for the function:

Being a difficult profile to find, there are companies that subcontract the DPO function. This Data Protection Officer, whether internal or external, must report to the company's top management and is also a promoter of the data protection message to other employees about security awareness, how to identify an incident and report it, about the procedures to be followed to ensure the privacy principles.

The DPO, however, has an ally in HR, as it will provide support in scheduling information security awareness sessions, but also in transmitting employees' doubts to the DPO. They are also essential in the process of updating procedures, minutes, and even raising awareness of the behaviors to be avoided in order to prevent incidents. Often this awareness is done right after an incident, to avoid repeating the event.

In short, the relationship between the roles of the DPO and HR results in:

  • The awareness of employees;
  • Support to the HR officer in clarifying doubts about data protection;
  • Support in exercising the rights of employees as holders of personal data;
  • In the incident management process;
  • In the updating of processing activities and implemented technical and organizational measures, focused on the processing of data by HR;
  • In internal audits.

Is it possible to store data relating to a recruitment process and protect personal data in HR? Until when?

Yes, but not all data are the same. Protecting personal data in HR is not straightforward. There is a set of information, including personal data, contained in the Labor Code that must be stored for five years. Otherwise the employer is committing an administrative offence. The set of relevant information includes advertisements such as job offers, admission test results, among others. The purpose of this storage is, in the event of an inspection, for the employer to be able to prove that there was no discrimination between men and women during the application and recruitment processes.

There is another set of information which is the data of the CVs received. Once again each case is different. In the case of CVs from spontaneous applications, the employer may be interested in keeping that information for some time, so that, in the event of a vacancy opening, they can consult those CVs. When a company opens a vacancy for a certain position, and of the 100 applications only one is chosen, the curricula of the other 99 must be deleted, because the candidates are running for that specific position and not another.

How can the Employee Portal help my company's Human Resources protect HR personal data?

The Human Resources department knows that the way people work is changing. Managers must keep track of requests and cannot waste time on repetitive tasks related to each employee. Also, switching between the office and remote work will become more and more frequent and employees must stay involved and productive wherever they work. In addition, the company needs to comply with the procedures inscribed in the General Data Protection Regulation and which aim not only at data privacy, but also at the security of that data. It is therefore crucial to protect personal data in HR.

For this purpose, you must use an Employee Portal, a software tool that:

  • it is collaborative;
  • it is always up to date, including on legislative and regulatory matters;
  • simplifies communication with employees;
  • reduces the administrative work of Human Resources;
  • presents insights;
  • facilitates performance appraisals;
  • is prepared for remote work.

The self-service Employee Portal allows you to:

  • employees control their personal data;
  • management monitors and improves team processes;
  • HR is available to complete other value-added tasks.

Features of the Employee Portal

Employees can digitally sign, send and store documents, such as contracts or ID documents. They can consult the timesheet, access the company's communication, notify management or HR, control attendance, submit justifications for absences or requests for vacation days

For their part, management or team leaders can compare vacation and expense overlaps and approve or reject them.

In addition, the Employee Portal is prepared from scratch to:

  • Perform the Digital Onboarding of employees;
  • Make pay slips available;
  • Treat excuses for Absences;
  • Bookmark and approve Vacations.

Advantages of the Employee Portal

  • The tool is pay-per-use, that is, you only pay for what you use;
  • With rules configured by you;
  • No code needed;
  • Meets employee needs while reducing operating costs and increasing productivity;
  • Anywhere and on any device

by Célia Barata – RegTech & HR Business Manager @Uniksystem

Share: