No responsible company seeks to breach GDPR. So why do most of them do it? This is very much down to human behavior and bad habits. Fortunately, there is a solution. After reading our 4 steps to be GDPR compliant you will know.
Running your HR and recruitment processes in Salesforce makes great sense. It is a flexible tool, and it helps everyone get on the same page efficiently. Still, you must take care that you don’t put your foot in the wrong place.
To help you avoid the worst GDPR pitfalls, we have created a 4 step checklist. Let’s dive in.
Step number one is to secure that you have a complete record of all your employment contracts – including the documents leading up to it. Why? Because they contain personal information. This might seem obvious. However, we see companies fail over and over again – despite their great intentions.
Employment contracts are scattered all over the companies we visit. We find the applications, the drafts, and the old revisions laying around In binders, on laptops and file servers. In Outlook, SharePoint and as attachments to Salesforce records.
“Your employee register tells what you should have on record. But collecting every employment contract in your company, may prove a bigger task than you expect.” - Steen Munksgaard
Step number two is to understand why you are allowed to have each of your HR documents on record.
It is pretty obvious why you are allowed to have employment contracts on record. As a company you need to keep track of your obligations towards your employees. This also applies the other way around.
Additionally, each contract serves as documentation towards the authorities. This includes the tax authorities. And actually … that’s all.Unless you've gained explicit approval for any other use. Exactly the same criteria apply to all the documents leading up to the contract. The application, and documents related to the processing of that application. Unless you have secured an explicit permission to keep them on record, you simply can’t.
“Unless you classify each of your documents, it’s almost impossible to determine why you are allowed to keep it on record.” - Steen Munksgaard
When you know which employment contracts, or any other documents, you have on record – and why you have them there – you must document how you use them. For the latter, it is especially important to document how you ensure that the contracts and documents are not misused.
For each document type you have to document in which processes they are used – and who you can get access to the document. When it comes to employment contracts access should be restricted to the employee, his or her immediate manager, and the relevant staff in HR and Payroll. Additionally, all relevant persons must be instructed on when it is acceptable to use this access.
So, to sum up, step number three is to document when and how you use each of the HR documents.
“With automatic access logging, it’s so much easier to prove that only the right people have accessed documents with personal information.” - Steen Munksgaard
In the “good old days”, you’d keep employment contracts, applications, and other HR documents on record for eternities. Just in case, you know. With GDPR in place, this is just not an option anymore. Period. Unless you've gained explicit permissions, you must get rid of the contract when the employment is terminated and the period you are required to keep financial documentation has expired. For applications and documents used in the candidate evaluation process the acceptable period is even shorter. Months instead of years.
Please be aware that even though you have a permission, it may be revoked anytime in the future. The so-called right to be forgotten applies unless you have solid cause to override it.
“Without complete document classification and systematic retention policies, it is an overwhelming task to make sure that all documents are discarded in due time.” - Steen Munksgaard
Obviously, you can handle your employment contracts using Salesforce, SharePoint, Excel or Outlook. However, it’s no easy task. My experience is that you can ease your work-life and strengthen your GDPR compliance by implementing a dedicated and unified repository. This could be Next® for Salesforce.
Next® for Salesforce allows you to build a unified repository of documents with everything you need. You get:
And perhaps the best of it? The solution is seamlessly integrated into your Salesforce. Often the implementation can be done within 7 days.
We help companies manage their GDPR challenges with easy-to-use software and a pragmatic approach. We’ll be happy to help you, too. If you have questions related to GDPR, just leave me an email or give me a call. Can’t wait to hear from you.
+358 50 356 7076
Jørn M. Christensenjmc@nextway.software
+45 26 77 66 40
+49 177 6506222
+41 78 671 79 02