GDPR and resulting changes in our workflow software
The General Data Protection Regulation (GDPR), which will come into place on May 25, 2018, also includes a number of requirements for software that processes personal data. Not all requirements are new, but many have been “nice to have” up to now but have been incompletely implemented by software products.
Probably the most important innovation is that a deletion actually has to be a deletion. And that really means a “residue-free” deletion of a specific person including all of their data. In the case of HR software, employee data will be deleted for the first X years after they leave. Whereby the X is quite variable here and depends on the interpretation. It is important that there must be a documented definition in the company of how long employee data will be kept after they have left. At the end of this retention period, ALL personal data of the employee who has left must be completely deleted. Ideally with a deletion log, where it is also noted who it is and a few statistics about what has been deleted.
The GDPR does not define in detail whether an employee’s movement data (e.g., time data) must be deleted during an employment relationship at the request of the employee or on the basis of an internal data protection guideline. According to the principle of “Privacy by Design”, i.e., limitation of the retention period of personal data to the necessary “period of use”, but in this interpretation e.g., time data after 7 (or 10 years) would actually no longer be relevant and has to be deleted.
Changes in the web desk
The following changes will be implemented in our HR platform Webdesk EWP by May 25, 2018, and will be available with successive updates.
Up to now, master data has only been deleted logically in order to enable easy restoration in the event of deletion “accidentally”. The principle of “soft deletion” remains, but there is now also a recycle bin from which the deleted objects can be permanently removed. During the final deletion, a log entry is generated, which proves during a data protection check that the data of a specific person has been deleted. (The name and date of departure are saved as minimal information for the purpose of localizing the person). In addition, statistical information about the deleted data is logged (e.g., how many time bookings, absence entries, etc. were finally deleted).
Audit log and audit trail
In order to ensure maximum traceability of changes to personal master data, we will introduce an audit log and an audit trail. The audit log contains the minimum information about who created the object and when and who last changed the object at what time. The audit trail enables it to be traced at field level which information was changed and when.
As per the GDPR guidelines, every employee can also request information from his company about which personal data is stored about him and also request a current extract. The origin of this requirement actually comes from the fact that, as a user of a personal processing system, one can export the self-created data from the system in a reprocess able form at any time.
Webdesk EWP supports this with a report where it is possible to export ALL personal data entered by the user or the HR administrator or data generated by the system (e.g., log information) to Excel or PDF.
Information on data protection
As per the GDPR guidelines, EVERY employee has the right to obtain information from their company about which measures are being taken to protect their personal data. Webdesk EWP supports this through the existing system messages, where statements on data protection can be created (e.g., with a link to a website with detailed information) and permanently displayed on the home page.