A colleague recently asked whether we get into trouble as a supplier of the HRorganizer system due to the GDPR. Whether our system is allowed to process and store assessment data. That some authorities can even see certain assessment data as medical data, with all the legal complications as a consequence. In this blog I will explain what the GDPR includes, which measures HRorganizer has taken to comply with it and our plans for a personal, digital safe.
The General Data Protection Regulation, or GDPR, is a European law that took effect in 2016. The law is meant to protect persons with regard to the processing personal data. Organizations will have until 25 May 2018 to prepare for this law and get things in order. It’s a trending topic in business world.
In a nutshell
Wikipedia explains what the GDPR is and how implementation in the Netherlands is regulated. In short, this concerns:
Integrity: the data must remain accurate and protected against unauthorized access.
Compliance: the responsible party must be able to demonstrate this.
Permission: for the collection and application of personal data, the person concerned must know his or her rights and give permission.
Sustainability: the data must be deleted when it’s no longer needed.
Integrity is something that system engineers pay a lot of attention to because when data is incorrect or falls into the wrong hands it directly causes a lot of damage. HRorganizer has made every effort to secure this during the construction, design, and management of the system. This is also the reason why so-called processor agreements are concluded with supply chain partners (e.g. hosting).
Compliance obligation has become more important than before so this is where most of the organizations are focussing on. Many personal details end up in systems which are not managed by the responsibles. This definitely applies to services in the cloud. Therefore, this applies to license holders of HRorganizer. For this reason, HRorganizer has adapted its model license agreement and expanded it with the necessary provisions for GDPR compliancy.
Permission for the use of personal data of an individual is requested implicitly in many systems by showing a sentence in this manner: "if you continue you give permission for the use of the answers." It is very questionable whether this is still sufficient. For this reason, HRorganizer has provided a routine for applicants' selection data for some years now. The participant is hereby the first to receive the results of the online assessment and has a choice whether to share these results with the organization or not.
Sustainability has been a subject of discussion for psychometric data for a long time. But this was mainly focussed on the usability of old data. However, it is no longer sufficient to delete outdated data: data must be gone when it is no longer needed for the purpose for which it was collected. For this purpose a solution will be available in the HRorganizer system in the short term.
Your own personal safe
HRorganizer has plans to go much further than this. From its founding 12 years ago, HRorganizer strives for the realization of an online vault where the individual himself becomes the owner of information about characteristics, behavior, ambitions, development, talents, performance, you name it. For example, the assessment results of an applicant in case of a rejection will automatically disappear from the organization but it will still be accessible to the applicant. Perhaps it even will be useful for an application with another employer. So a digital work file, e-portfolio, digi-cv, hr-safe or whatever you want to call it will arise.
My hope is that the GDPR will stimulate this development further. That it puts power behind movements that ensure that I myself become the owner of the data that other parties collect about me. With which I will later decide who and when has access to my personal data safe, whether it's medical, financial, tax, training, or of course work-related data.