The general regulation on the protection of personal data will come into effect on May 25, 2018. In France, HR is already well armed.
4% of worldwide turnover. This is the maximum amount that will have to be paid by companies that do not comply with the general regulation on the protection of personal data ( RGPD ) that will be applicable from May 25, 2018. This regulation initiated by the European Union aims to better protect consumers. personal data stored by the companies. While commercial or marketing departments hold a lot of them, HR is not left out.
"In terms of personal data, human resources have a real treasure of war: recruitment, talent management, mobility, training, professional interviews, payroll ... personal data is everywhere, for anyone who cares about personal data, is nitroglycerin ", summarizes François Geuze, HRIS consultant and lecturer at the University of Lille. To prevent this potentially sensitive data from breaking into the hands of HR, there are several strategies for businesses to adopt. Fortunately, they do not start from scratch.
Recruitment, management, mobility, training, payroll ... in HR, personal data is everywhere
"In France, compared to many European countries, there is already very strict legislation on data HR," says Cécile Martin, a lawyer in labor law specializing in employee data protection in the Cabinet Ogletree Deakins. "HR is, therefore, more prepared for change than other areas of the company," says the expert. Since 1978, the IT law and freedoms take into account the protection of HR data. And the legislation has gradually grown. "French legislation is already very protective of HR data." Laws against discrimination, for example, consider this problem. Professionals in the sector are already aware of this. The RGPD will mainly bring changes to the margin. For example, employees will be able to access their data in one month instead of two months ago, "says Cécile Martin, while the penalties for non-compliance mean that the limits of legality are not breached. need not to sit idly by ...
Control of subcontractors
To be in compliance, HR departments will have to adopt good practices every day that will help them avoid unpleasant surprises. The first thing to do is to be extremely vigilant with the subcontractors who can handle data related to the payment of salaries, recruitment or internal mobility.
"Alas, for the moment, there is no official certification that the subcontractor complies with the RGPD"
"Apart from the very large groups that internalize all their processes, companies entrust some of their personal data to third parties and at the time of the RGPD, they must be trusted," said José Rodriguez, data protection officer ( DPO ) Cornerstone, HR Software Designer. Unfortunately, for the moment, there is no official certification that the subcontractors respect the GDPR. And nothing indicates that it will be born: "The absence of a precise process does not mean that companies can not do anything." I advise asking the third party a certificate of the honor which stipulates that the provider promises to respect the GDPR. Thus, if a problem arises, the company can prove its good faith. And of course, the DPO of a company can conduct an internal audit at its provider. Better still, the DPOs can talk to each other, "advises José Rodriguez, who hopes that framed procedures will quickly emerge to secure relationships between HR and subcontractors.
For Cécile Martin, compliance with the RGPD also requires significant legal monitoring. Because French law can also sanction certain failures related to the RGPD. The lawyer currently sees two important points that should not be overlooked: "European law requires the companies concerned to recruit a DPO, but French law stipulates that the company must first inform the staff representatives. do not do it, it can be punished for the offense of obstruction ". The lawyer also identifies another detail that should not be forgotten: "To protect HR data, the RGPD will force some companies to set up a new data processing system. staff representatives then, from 2019, the social and economic committee set up by the reform of the labor code by ordinances ".
Article 88 of the GDPR authorizes states to go further than the European regulation on HR data protection
The lawyer also advises HR to pay close attention to section 88 of the RGPD, which concerns the first and foremost. It states that "The Member States may lay down by law or by collective agreement more specific rules to ensure the protection of rights and freedoms with regard to the processing of employees' personal data in the context of labor relations, for the purposes of, in particular, recruitment, performance of the employment contract and recruitment ". In short, French law can be quite stricter than the RGPD, hence the need to closely follow the legislative activity.
In addition to this monitoring work, HR must also disseminate good practices internally and interact with several sectors of their business. "They should ideally do an internal audit with the ISD or an external consultant," notes José Rodriguez. To put it in place effectively, François Geuze advises proceeding as follows: "institute regular and highly sectoral exchanges. Each database is different, do not hesitate to devote a workshop to recruitment, another to start in training, another on the treatment of annual interviews ... ".
The Cnil (rather) benevolent
Despite all the precautions, it is possible that HR services are not quite ready for the coming into force of the RGPD on May 25th. But do not panic. Experts are on the same wavelength: the human resources sector does not have to worry. "Let's be frank: in companies, the RGPD can be in the medium term a shake-up for marketing or commercial services that sometimes take some liberties with the management of personal data. For HR, things are different because the legislation is already important", notes François Geuze, who believes like Cécile Martin that the RGPD will not change much.
"The CNIL is not going to try to put companies in difficulty"
And even if failures are to deplore in the companies of the Hexagon, this does not automatically mean an immediate financial sanction on the part of the Cnil. Cécile Martin, who has been a lawyer at the CNIL, is well placed to know: "In the face of the RGPD, the authority intends to adopt a pedagogical approach and will be uncompromising on basic rights such as rectification, access to data, the right to opposition or the commercialization of data, but this has already been the case since 1978 and the entry into force of the Data Protection Act ". An opinion shared by François Geuze: "The CNIL is not going to try to put companies in trouble.