A growing number of companies see the benefit and need to make their HR administration GDPR-proof. Yet the majority of SMEs keep their HR records in separate Excel documents in a shared folder (Google Drive / Dropbox / One drive). This is worrying in terms of data security and does not meet the GDPR regulations.

Besides the damage caused by unsafe data storage, SMEs can also be fined. The Authority for the Protection of Personal Data (Autoriteit Persoonsgegevens) has recently started to check data security and compliance with the GDPR. A Dutch company with 25 employees (article only available in Dutch) received a fine of € 15,000.00 for the unsafe data storage and storage of health information. The latter is prohibited by law.

How do you deal with the GDPR surrounding HR?

When it comes to the GDPR, people usually think about how to handle customer data. What is often forgotten is that companies also need to think about how they handle the tracking and storage of personal data of their employees. A good and secure HR software package is recommended. You can read all about GDPR on the website of the Authority for the Protection of Personal Data (page in Dutch), but below we give you some tips for making your HR administration GDPR-proof!

Improve the security of your HR administration

As described, it is important to comply with the GDPR regulations. But what are things you need to pay attention to. To comply with the GDPR legislation we have written down a number of points that you can watch out for to ensure a secure HR administration. Note that every situation and company is different, so to fully comply with the GDPR regulations it is recommended that you involve a specialist.

1. Do not share any documents with personal details on shared folders in a cloud

It sounds very obvious that you need to ensure that data is properly protected between employees. In practice, however, we often see that Excel Spreadsheets about leave are shared with the entire company, which means that everyone has access to privacy-sensitive data. Sometimes this even includes things that are really sensitive. Sharing HR documents via a Google Drive, Dropbox or One Drive can quickly lead to an GDPR problem. The problem is that unauthorised employees can access personal data.

2. Do not store ‘special personal data’ such as health data

It’s natural that when an employee calls in sick, you ask what is going on out of genuine interest. However, as an employer you are not allowed to ask for these health data and especially not store and document them. These health data are seen by the GDPR as “special personal data” and aren’t allowed to be saved. However, you are allowed to ask what address the person who’s calling in sick is staying at and write that down.

3. Use HR software that is GDPR-proof

To make sure the right information is requested and saved it is smart and valuable to select a software package that is specialised in doing so. HoorayHR is an example of this, because it takes into account user rights, data security and storing information in the right way.

 4. Use a password protocol (and a password manager)

In addition to storing personal data correctly and choosing a secure tool, there are of course other things you can do as a company to keep data safe. An important tip for keeping data safe is to set up a password protocol for the entire company. A password protocol defines, for example, how many and which characters a password should contain at least (for example, a unique password of 24 characters, with capitals, numbers, lower case letters and punctuation) and that everyone should have a personal login to applications and should not share passwords. In addition, your protocol describes how often passwords should be changed.
This ensures that access to accounts is as secure as possible and that it is not passwords that someone can guess or that someone with one password has access to many different programs.

To properly implement a password protocol, a password manager is recommended. A password manager allows you to generate complex and unique passwords, store them securely, and manage them. Examples of password managers are 1Password and KeePass.

5. Create extra security with two-factor authentication

If you want to use an additional safety measure, opt for two-factor authentication (2FA). With 2FA, you need an additional device, linked to the account, to access your program. Well-known examples are logging in with a code per text message or a separate app on your phone that generates a temporary code. At HoorayHR we also offer two factor authentication to make everything as secure as possible.

6. Ask a specialist or legal expert for help

To ensure that your company and HR administration is truly GDPR-proof, it may be wise to speak with a specialist and/or legal expert. Together you can assess what personal data is stored where and whether additional measures are necessary.