GDPR and Onboarding

GDPR goes live May 25th, 2018. But what does that mean for you, your onboarding processes, and your business? What is GDPR anyway and why should you care?

If I were to over-simplify, the General Data Protection Regulation (GDPR) is legislation that regulates data protection and privacy for individuals within the European Union (EU.) The goal here is to give people power over their own personal data while unifying the EU regulatory environment for international business.

As a business, if you have recruiters/ hiring managers/ candidates/ applicants/ employees associated with the EU – or if you export any personal data outside the EU – you will be impacted and must comply with the new regulations. The question is – are you ready?

If your answer is “no!?!?” then you’re in the right spot. I’ll walk you through what you need to know in terms of onboarding and…

  1. Privacy and Consent
  2. Data Access
  3. Data Correction
  4. Data Export
  5. Data Deletion

PLEASE NOTE: There are a lot of grey areas within GDPR and the following advice is for informational purposes only. So, if you believe that GDPR could be pertinent to your organization and want legal advice – reach out to your legal team.

Privacy and Consent

When people say “privacy” in terms of GDPR and onboarding, they’re really saying that you’re required to inform new hires about what you’re doing with their data. The best way to do that is through a privacy policy written in clear, plain language. If your legal team enjoys reading it, then you haven’t done a good enough job. Keep it short, simple, and to the point.

Your privacy policy – at a minimum – must cover:

  • Notice of collection
  • Awareness of processing
  • Processing details

This is where consent comes in. After reading that privacy policy, new hires will need to decide if they still want to go through with the process.  If they consent to having their personal data collected and processed, then they’ll begin onboarding.  It’s also important to note that the new hire can withdraw their consent at any time. The processor (i.e. the onboarding provider) MUST respect the new hire’s decision and put the hire on hold. At that point, the new hire can come back to you and continue with onboarding, or ask to be removed from the system.


Data Access and Correction

The big question we’ve been getting lately is: “What level of access should we grant hires when it comes to their personal data?”

Short answer: complete access. It’s their data, and they get to access it – and adjust it – anytime they want to.

The great part about the Click Boarding platform is that the same portal they use to enter this data is the same portal they use to get access to view that data. If they notice that something’s wrong, we let them update it via a new process. Want to see how? Click here.


Data Export

What happens if the hire wants to export their information? What does that process look like?

At this moment, if a new hire in the EU wants a copy of their data, then the onboarding provider or employer can – and often will – make them pay for it. It usually costs about $15, and that’s more than enough for most people to say “Nope! Pass.”

After May 25th, the new regulation states that processors (the onboarding provider) and/or controllers (the employer) must provide copies of this data to the new hire free of charge when they request it.

At Click Boarding we go about this one of two ways:

  • Hires can log back into the same portal that they used for data entry and correction to download their onboarding data in a common format that’s easy to access.
  • We can export that data to the controller, and then they can disperse the data to the hire as they see fit.


Data Deletion

You may have heard the term “right to be forgotten” tied to GDPR. But what does it mean? Essentially, the data owner has the right to request data deletion. This is a very real thing that your provider has to account for. At Click Boarding, we built the platform with the idea that that’s not our data. It belongs to the hire. It’s been a part of our culture since the very beginning – and it will continue to be a part of our culture as we move forward.

In terms of GDPR and onboarding, the right for the owner of the data to request its deletion must be honored “without undue delay.” So, either you or your provider has to accommodate ASAP.

With one exception.

Country specific forms have become an area of contention when it comes to data deletion and the GDPR. For example: In the United States, all new employees must provide employment verification (Form I-9) prior to starting that job. With it being a federal mandate, we can’t delete that document without putting our clients into a hard spot if they get audited. After confirming with legal, Click Boarding has decided NOT to delete the Form I-9 until a clearer interpretation of the regulation is released. If you aren’t already a Click Boarding client, I strongly suggest checking with your current provider to see what their process is sooner rather than later.


Other Things to Consider

When it comes to GDPR and onboarding:

The GDPR isn’t a replacement for your Information Security program. It’s built on top of it. So, get familiar with your Information Security program, and study up on your onboarding provider’s.

  • At Click Boarding, we lean on Soc 2 Type 2 protocols to keep clients’ sensitive data is secure. Want to know more? Reach out at any time.

Understand where your data is. What that means is – if Jane has personal data on her laptop and Jim has data that he’s putting in a SharePoint site, you need to know it. If you don’t know where that data is, and you aren’t showing employees where that data actually needs to be, then you won’t know if it’s truly been deleted when “the right to be forgotten” kicks in. This can be an incredibly costly oversight during an audit.

Remember, not everything needs to, or can, be solved with technology. People and process are a great asset within the GDPR if you’ve trained them properly.

You’ve got to build this regulation into your culture and make it a part of your business. GDPR is a great thing for new hires to have control over their data and a fantastic opportunity to become a more informed and secure employer. So embrace it, and make it a part of who you are and what you do.

Security & Compliance