EN
What are the ground rules you should follow when collecting, using and securing personal data? The European Privacy Day on 28 January lets us pause to reflect on the procedures to ensure personal data protection. This is also relevant in the HR world, as organisations often hold all kinds of personal data on their employees.
The General Data Protection Regulation (GDPR) went into effect on 25 May 2018. This European Regulation lays down the ground rules for the collection, use and security of personal data. It concerns personal data of your employees, but by extension, data of customers too.
Personal data is a broad term. It's not just about classic data (such as name and surname), but also reports, evaluation forms, photos at the staff party or training, etc.
Not following the rules of the game? Then you risk a significant fine. For example, a fine of 15,000 euros was imposed by the Data Protection Authority (GBA) on an SME that refused to close the mailboxes of former employees.
The GDPR matter is a complex one. The conceptual framework is not simple, and there are various obligations, such as a documentation obligation and an information obligation. Employers often don't know where to start. This roadmap can give you a nudge in the right direction:
1. Map out personal data using a processing register (data registry).
This registry replaces the former declaration to the GBA, and is part of your documentation requirement. In the event of an audit, you can expect the request for this register for sure. The processing register must be continuously updated.
2. Identify the legal basis on which the processing is done.
There are 4 legal grounds:
In the case of the data subject's consent, it is stated that such consent must be free, explicit and informed.
3. Keep in mind the retention periods for this personal data.
The data should not be kept longer than strictly necessary. So you need to work with rules specific to applicable local regulations to map out these retention periods. As part of transparency, you also provide these retention periods by topic in the processing register.
4. Be aware of your information obligation.
For example, you must inform your employees what data is being processed, the retention periods, the right to information if it is necessary to correct the data, etc.
As part of this information obligation, you must also record what ground rules are used internally with regard to the handling of customer data, access to customer data, any sanctions in the event of a breach of these agreements.
You can regulate your information obligation in this context by working with a specific privacy policy, for example.
Pay transparency: from directive to policy
The European directive is set to take effect in a year and a half from now. What does this mean in practical terms for businesses and how transparent are employers already today?
Read moreHow to best organise the (summer) holidays?
The summer holidays are just around the corner, which means employees’ time schedules need to be aligned. What is the best way to go about this as an employer? Which types of absence from work can employees take?
Read moreElections are coming up: what remains to be decided?
In the run-up to the elections on 9 June 2024, there are still some labour issues to be completed and consequently some decisions that remain to be taken. What is the impact on you as an employer?
Read more
