GDPR / DSGVO and Personnel files – Experiences from Client Projects
Sep 3, 2018 | by Dennis Gräff | 0 Comments

Personnel Files and GDPR

Even if the term ” General Data Protection Regulation “, GDPR for short, should not be chosen as the non-word of 2018, it has certainly been overused excessively in the months before the new regulation came into force. Well, after having passed the deadline a few months ago and having had a really great summer I want to pick up the topic “in peace” again and share some insights from our client projects, especially with personnel files, via this blog.

Personnel files belong to an area in which every company must ensure the protection of the data of its employees and are therefore directly affected by the General Data Protection Regulation (GDPR). Incidentally, regardless of whether the files are kept electronically or on paper.

Because especially personnel files often contain sensitive information, the protection of which should be important to every personnel department: Criminal records, warnings, perhaps also medical information, to name just a few examples.

In the months prior to 25 May, since the GDPR has been in force, we have accompanied some of our clients in implementing the requirements of the regulation in their electronic personnel files. Many of these requirements are mainly of an organizational nature. In order to fulfil the informational obligation towards employees, i.e. to inform them that their data is stored in the personnel files, it is basically sufficient to integrate this into the recruitment process. This could of course be automated; since HR employees are in contact with future employees in the recruitment process anyway, personal information is probably preferable here.

The information obligation with regard to stored data also generally requires only minor adjustments on the technical side, since personnel files are kept in a structured and orderly manner by definition. Here it is more important to define the process by which queries can be answered quickly and correctly. A useful technical measure for support at this point could be a short report that provides a “table of contents” for the personnel file: which documents are contained, when and, if necessary, why were they filed.

Deleting documents in personnel files – What to consider?
The area in which our projects required the most adaptation to the systems of the electronic personnel file was the deletion of personnel documents from the files. This is where regulations from many different sources are combined: legal regulations on storing and deleting as well as settled case laws that clarify and supplement these regulations. In addition, there are the less precise requirements of the GDPR, which state that data must always be stored for a specific purpose.

In order to proceed in compliance with the rules, one cannot avoid a precise categorization of the stored documents. This begins by obtaining an overview of the document types that are stored in the records and then defining a technical solution for this categorization of these types in the system. For each document type, it is now possible to define which individual rules apply to storage:

  • How long must the different documents at least be stored? For example, contracts must be stored at a minimum as long as the employee is employed in the company.
  • What is the maximum time up to which they can be stored? For example, warnings may not be stored for more than two years.
  • And – if there is room for flexibility: how long should for example notes from performance reviews be kept?

Efficient implementation of rules with ECM systems and products with machine learning mechanisms
Once the set of rules has been defined, the automation of the enforcement of these rules is usually no longer as complex. If the personnel files are managed in a professional ECM system, often already correspondingly specialized additional products are available. An – in most cases economically attractive – alternative solution can also be the implementation of an individual deletion routine. At this point it should be ensured that the set of rules can be easily adapted via configuration. This makes it easy to adjust the deadlines if necessary. Changes in the law and, in particular, clarification of the regulations by court judgements will certainly come into force from time to time in the coming years.

The only question that remains is that of the inventory documents in the files. If document types have already been used in the past, these can be applied. However, it is often necessary to refine the types in order to reflect all the rules.

But even if nothing comparable exists so far, it is not necessary to check all existing personnel documents individually and assign them manually to one of the defined document types. There are products on the market that use artificial intelligence and machine-learning mechanisms to carry out this categorization with very high accuracy. The capabilities of such software products are enormous. Even handwritten documents are no longer an insurmountable obstacle here (the famous medical “scrawl” may be an exception). The software offers many more features than the usual OCR functionality. An example: Even if the letter of application does not begin with the usual formulations, such as “I am applying…” – by analyzing the content of the entire document (so-called “Content Analytics”), such software products are still able to classify them and store all documents in a GDPR-compliant manner.