GDPR Has Come to Effective in May 2018!

The data protection regulation of European Union, GDPR, has been effective in May 2018. This will have material impact to you as an HR practitioner as you are holding vast amount of employee's data.

What is Required by GDPR?

You can read the full text of GDPR. The idea is that, in the world with GDPR, the following should not happen:

  • You personal data, that may identify your identity, is being collected without being known to you
  • The party collecting your data tells you the purpose and scope of data collection using a statement with font size of 2
  • You data will be transferred to third-world countries
  • Database is hacked, but no one inform you that your data has been stolen
  • You do not know your legal right, such as right to request for deletion or ensure data accuracy

Although GDPR is an EU requirement, but it is applicable worldwide. In practice, if you clients or employees are EU residents, even if you are a Hong Kong company, your clients or employees can still file a complain in EU country against your action or policy that violate GDPR.

The maximum penalty of violation is 4% worldwide revenue or 20M Euro, whichever is higher.

Impact to Human Resources

Here are a few points that can help you avoid violating GDPR:

1. Redefine the Scope of Data Collection

Usually, it is deemed to be safe to collect employees' data with their consent.

However, as an employee, especially existing employees, the relationship between employer and employees is not exactly fair. Therefore, the legal basis of employees' consent may still be subject to challenge.

Therefore, the safest way is to ensure data collected from employee is indispensible, such as name, HKID, professional qualification, etc.

For data such as personal email, instagram account, weight, spouse info which are not directly related to the employement, even if we obtain employees' consent on collection, such collection may still subject to legal challenge in the future.

We should revisit the scope of data collection, and limit the scope within those related to the employement relationship.

At the same time, regarding data already collected, if we find that such data is not necessary, we should delete so and inform employees our deletion.

2. Let Employees Know Their Rights

Per GPDR requirement, we should let our employees know their rights, such as:

  • Make request to employer to clarify the scope of personal data that has been collected? Where to store the data? What is the purpose of data collection?
  • Make request to employer seeking for data correction.
  • Make request to employer seeking for data deletion after termination of employment.

In Hong Kong, employer may refer to regulation in Hong Kong, such as Article 49A of Employment Ordinance, regarding requirement on data retention.

After receiving request from employee, employer should follow-up swiftyl. If we need to fulfill GDPR, we have to ensure reasonable request by employee is entertained within 1 month.

3. Choosing a Dependable Data Processing System

It is definitely a best practice to store employees' data, payroll data, taxation data in Excel and simply saved in certain desktop computer in the company.

Even worse, the data mentioned above are stored in multiple files, directories and computers. When we want to delete them, we have no idea where to find the files or whether we have deleted all of them.

If the computer is connected to internet, the data can even be hacked.

Our suggestion: Employees' data and payroll processing should be centrally processed in a HR System. When employee makes request to check his data, HR colleagues can swiftly retrieve the data from the HR System instead of searching through all those Excel files.

More importantly, the HR System should be hosted in a safe place. If we have confident with the server in the company, we can definitely host the system in the company.

However, for SME, if we are not particularly confident with computers in the company, we can simply request for a secure hosting service while procuring the HR System.

In fact, there are a lot cloud hosting service with certifications (such as ISO27001, SOC 2 Report, etc)(such as what Microsoft elaborated in the website).

Instead of forcing our IT colleagues to upgrade the security standard to internation level, perhaps we can choose a secure HR System, and host in certain well-received hosting service.