Staffology HR and GDPR

Detailed below is guidance on how you can use Staffology HR to ensure your organisation remains GDPR compliant.

Awareness

Use the following areas of your Staffology HR system to raise awareness about the importance of GDPR:

• Make key people in your organisation aware of GDPR.

• Read and absorb as much information as possible on GDPR.

To do this, use the following areas of your system:

• Company Handbook - to review, update and maintain your policies and procedures, and to keep employees informed.

• Communication messages on the home screen (configured in System Tools).

• Read & Accept documents - to keep employees informed and create a record of communications.

Training to provide:

• Awareness training for all staff.

• Role-based training for DPOs, line managers etc on the specific responsibilities of their role.

Information you hold

• Document what data you hold, where it came from, and who you share it with.

• Health-check all your current business relationships.

To do this, use the following areas of your system:

• Audit - to help you identify the information you hold.

• Audit Deletion - to remove historical Audit Trail data from your system automatically and permanently.

• Exports & Reports - to help you identify the information you hold.

• Screen Builder - to create new screens to record/collate relevant information (for example, data retention, third-party data transfers, subject access requests, right to erasure requests).

• Directories - to check the information you hold and also to assign new roles to users (for example, DPOs).

• Set Rights Set Rights are the system permissions you allocate to employees to control the information available to a user about other employees. - to control employees’ access to information.

Communicating Privacy information

Employers must provide employees and job applicants with a privacy notice that sets out certain information, for example, about:

• How long your organisation keeps their personal data.

• Whether data will be transferred to different countries.

• The right to make subject access requests

• The right to have personal data deleted or rectified

To take this step successfully, you must:

• Review and update your privacy notices using clear, concise language.

• Review all your current privacy notices and update them to ensure they comply.

To do this, use the following areas of your system:

• Company Handbook - to review, update and maintain your policies and procedures.

• Communication messages on the home screen (configured in System Tools)

• Read & Accept - to keep employees informed about policies and procedures.

• Recruit - to provide privacy information to applicants and new starters.

Individuals’ rights

GDPR provides a number of rights for individuals. These rights are outlined in the rest of this section.

You must review and update your procedures on providing data and deleting data, taking account of individuals’ rights under GDPR.

The right to be Informed

Employers must provide employees and job applicants with a privacy notice which includes certain information. Under the terms of the GDPR, employers may need to provide more detailed information, for example, about:

• How long you keep employees'/job applicants' personal data.

• Whether data will be transferred to different countries.

• The right to make subject access requests.

• The right to have personal data deleted or rectified.

You could use:

Company Handbook - to review, update and maintain your policies and procedures.

Read & Accept - to keep employees informed about policies and procedures.

Training - to increase employees’ awareness of how you store and process their data.

The right of Access

This right is linked to subject access requests. You could use:

• Tasks and Automated Event Notifications - so access requests are dealt with promptly and correctly.

• Reports - to identify individual employees’ data.

• Set Rights - to give employees read-only access to their data.

The right to Rectification

Use Set Rights to enable employees to view and access their data.

The right to Erasure (‘right to be forgotten’)

You could use:

• Delete Employee (System Tools > Utilities > Tools) to delete employee data.

• Tasks and Automated Event Notifications - to make sure processes for new starters and leavers include data storage/deletion considerations.

• Audit Deletion - to remove historical Audit Trail data from your system automatically and permanently.

To comply with the right to erasure, in Recruit, use the Delete option in vacancy details on the General tab to delete all data related to a vacancy.

You can only delete a vacancy set to Closed, Internal/Externalor Inactive, and if you have deleted or moved all candidates to a different vacancy.

The right to Restriction of processing

To help you comply with employees’ right to ‘block’ or suppress the processing of their data, apply a Right to Restriction of Processing status on employees’ records. To do this, go to System Tools > Utilities > Tools > GDPR Right to Restriction of Processing, and select Create New.

After applying this status, the system records the following information:

• The employee who created the status.

• The employee for whom the status was recorded.

• The date when the status starts (mandatory) and the date when the status ends.

• A red banner displays across the top of every screen in the employee’s record.

• The employee is excluded from all areas of the system, including the Employee Selector, reports, the Where Clause Allows you filter records using a specific criteria. builder, and line manager access (including the Group Absence When an employee or worker is absent from work. This can be for a variety of reasons. calendar and direct reports).

To remove this status at the employee’s request, go to System Tools > Utilities > Tools > GDPR Right to Restriction of Processing.

The right to Data Portability

You can use user-defined reports to collate employees’ data and send it to employees as CSV files.

The right to Object

Use the Right to Restriction of Processing banner as a visual aid to remind system administrators about employee objections.

The right to not be subject to automated decision-making, including Profiling

Use the following areas to inform employees when processing their data by automated means:

• Communication messages or privacy notice.

• Recruitment (for employment contracts).

Subject access requests

Review and update your procedures on handling SARs; you must deal with them within one month, free of charge.

To do this, update the following areas of your system:

Tasks and Automated Event Notifications - to ensure subject access requests are dealt with promptly and correctly.

Reports - to identify employees’ data.

Set Rights - to give employees read-only access to their data.

Lawful basis for processing Personal data

To take this step successfully, you must:

• Identify and document your lawful basis and update your privacy notices and responses to SARs.

• Review and update all your existing data protection policies

To help you to do this, use the following areas of your system:

• Company Handbook - to review, update and maintain your policies and procedures.

Consent

To take this step successfully, you must:

• Review and update your procedures on seeking, recording and managing consent.

• Take steps to ensure that employees have consented to using their data.

To help you do this, use the following areas of your system:

• Read & Accept - to keep employees informed about policies and procedures.

• Form and Screen Builder - to create forms and screens to obtain and record consent.

In Recruit, use the Consent Message and checkbox to ensure applicants give data storage consent when creating their account.

Children

To take this step successfully, if your organisation deals with children’s data, you must review and update your procedures on verifying ages and parental or guardian consent.

Data breaches

Employers must report any breach of the GDPR to the data protection authority within 72 hours. To do this, you must:

• Review and update your procedures on detecting, reporting and investigating data breaches

Check that you have suitable systems in place to notify the regulator if a data breach occurs.

To do this, use the following areas of your system:

• Tasks and Automated Event Notifications - to ensure data breaches are dealt with promptly and correctly.

Data protection by Design and Impact Assessments

To take this step successfully, you must:

• Implement technical and organisational measures to show you have considered and integrated data protection into all your processing activities.

• Check the ICO code of practice on privacy impact assessments.

Data Protection Officers

If your organisation processes personal data on a large scale, you must formally designate DPOs responsible for ensuring compliance.

To help you to do this, use the following areas of your HR system:

• Training - to provide training for DPOs on the specific responsibilities of their role.

• Set Rights - to configure DPO access to employees’ records.

• Communication messages - to promote awareness of the DPO to all staff.

International

To take this step successfully, you must:

• Determine your lead data protection supervisory authority if your organisation operates in more than one EU member state.

• Review any arrangements you have involving personal data held outside the UK.