What do Human Resources departments need to know about Data Protection Policy (GDPR) when using SAP HCM or SAP SuccessFactor systems?
The General Data Protection Regulation (GDPR) will be enforced beginning May 25, 2018, giving Human Resources (HR) departments just a few months to ensure that they have updated their processes for collecting and processing data about employees, former employees, and job candidates.
Maintaining the balance between the protection of the privacy of the workers and the needs of the employer can be tricky. Examples include camera surveillance, geo-location, interrogation of workers, hotlines, internet usage, email, and social networks, etc. There are many laws that apply to these matters, therefore for HR professionals, it remains important to continue to follow US national law developments in the field of privacy in the workplace, in addition to the more generic GDPR compliance for European data subjects.
Three important GDPR articles that HR needs to know now
1) Article 17 GDPR | Right to erasure (‘right to be forgotten’)
Employees, former employees, and contractors will soon be allowed to ask their employer to erase personal data about them in certain circumstances. This may be the case where the information is no longer necessary for the purpose for which it was originally collected, or where the employee has withdrawn his/her consent (see section 3 below). Disgruntled employees are always a topic of discussion for article 17, too.
Depending on your SAP HCM release level, SAP Information Lifecycle Management [ILM] is a free technology that can help meet this articles' requirements. Once you no longer need personal data for the purpose for which it was collected, it should be deleted, unless you have legally documented grounds for retaining it. SAP ILM Retention Management will help to automate a regular review and methodical deleting or blocking of HR databases based on predetermined rules. To help reduce the risk and speed up the implementation, you can also leverage Natuvion's ILM templates, as well as their Data Decommissioning Engine.
** Don't forget that GDPR is overruled by the IRS. For example, depending on geographic location, payroll tax records must be kept for a specific amount of years. Therefore, some HR data can be deleted, like leave of absence requests, but payroll and tax records need to be kept for a set amount of time. **
2) Article 15 GDPR | Right of access by the data subject
The GDPR requires that the data controller provide the data subject with information about his/her personal data processing in a concise, transparent, and intelligible manner, which is easily accessible and distinct from other undertakings between the controller and the data subject, while using clear and plain language. Basically, an employee, former employee, or contractor could request to receive a report of everything a human resource team holds about them (Subject Access Request [SAR]). A great time-saver tool that enables SAP HCM to meet article 15 requirements is SAP IRF, specifically the Generic Smart Search feature. IRF will find that personnel data for you and display it in a report suitable for the employee. It’s important to note that if you have SAP SuccessFactors, you can already run queries to pull this type of personnel data from the system. The development team is already working on making these reports simpler for a future release.
- More information on SAP-Information Retrieval Framework [IRF] -> IRF allows you to search for and retrieve all personal data of a specified data subject. The search results are displayed in a comprehensive and structured list containing all personal data of the data subject specified, subdivided according to the purpose for which the data was collected and processed. A version of this report can be used to inform the data subject on his/her personal data undergoing processing, including the reason (purpose) for processing. The Information Retrieval Framework is available in support packages for SAP NetWeaver:
What do HR managers need to know about subject access requests (SARs)?
The rules around SARs are changing so that if one lands on the desk of the HR team post-GDPR, HR managers will need to respond more quickly. At present, companies have 40 days to respond, but this is reduced down to one month under the GDPR. Also, please note the fees organizations can charge for SARs will also disappear under GDPR.
3) CONSENT: SO, WHAT HAPPENS TO THE IDEA OF CONSENT IN THE EMPLOYMENT RELATIONSHIP?
At the moment, many employers gain consent to process employee data by including a clause in their employment contracts. However, the GDPR will tighten the rules for gaining consent. Consent now needs to be explicit, informed, and given – no longer can it be put in at the back of an employment contract.
HR departments should think about what reasons they could use to justify processing employee data, such as needing to do so to perform a contract or to comply with a legal obligation. HR should use consent agreements as a “last resort,” particularly given GDPR details that employees are never truly free to give consent to their employer. There might be adverse consequences if employees say no, as well as the fact that their consent can be withdrawn at any time.
Instead of consent, the best way for HR teams to comply with GDPR transparency is by keeping the employee or prospective employee informed. This should be done before data is collected and when any subsequent changes are made. It is important to remember that data is not always collected directly from individuals, but may be derived from other data sets, observed by tracking or inferred using algorithms. The GDPR has a mandatory list of the information that must be given to individuals where data is obtained directly from them, but also where it is obtained indirectly. Natuvion's free search tool "Sophia" can be helpful to provide this list from both your SAP and non-SAP systems.
Pseudonymization: a way out for HR teams?
The GDPR introduces a new concept of "pseudonymization", meaning the processing of personal data in such a manner that the personal data can no longer be attributed to a specific individual, without additional information. In a nutshell, it is a technical procedure by which the most identifying fields within an employee’s data record are replaced by one or more artificial identifiers, or pseudonyms.
Pseudonymous data in your HCM system is not a way out of GDPR compliance, but it can be helpful. Data will still be treated as personal data; however, the data will potentially be subject to fewer restrictions on processing if the risk of harm is low. Using a tool like Natuvion’s TDA, the application pseudonymizes the human resource data. The "key" necessary to identify data subjects from the coded data is kept separately, and it helps to provide the technical and organizational security measures to prevent inadvertent "re-identification" of individuals or personal data within the data set.
With over 100 implementations, Natuvion’s TDA is the only official GDPR-certified technology that provides pseudonymization processing across SAP and non-SAP systems and works seamlessly with your analytics systems for data consistency. Another point to note for analytics is that, with the last release of SuccessFactors, the development team already added an attribute called "sensitive." When this attribute is flagged, the data is masked on the screen and for analytical purposes.
Is there a practical starting point?
Experts agree the effective use of technology is critical for organizations to monitor all sensitive EU employee data they hold, and to apply and enforce policies to protect this information. The easiest starting point is to schedule a one-day workshop with Natuvion's expert GDPR team to create your HR road map, which will include your data retention plans and employee data deletion blueprint.
Another great source of information is the SAP Cloud Trust Center.