Data protection is by no means uncharted territory for HR departments. However, since the General Data Protection Regulation (GDPR) came into force in 2018, the requirements for HR management have increased once again. Data subjects, including employees and applicants, now have more rights when it comes to how their personal data is handled. At the same time, companies are being held more accountable for ensuring compliance with the respective legal requirements, with GDPR stipulating greater penalties than before for data privacy breaches.
For HR, this means that data protection must be approached in a proactive manner and implemented in all relevant HR processes from the outset. In this blog post, we explain to you the importance of clearly defined role and rights management when dealing with HR data. And we show you a way of implementing this tool for proactive data protection in your business.
Role and Rights Management is Absolutely Necessary in HR
The legal basis for setting up role and rights management in human resources is the need-to-know principle. It refers back to Chapter 2 Art. 5 (1b), Chapter 2 Art. 5 (1f) and Chapter 4 Art. 32 (1b) of the GDPR. In essence, the legislator requires that companies ensure that the processing of personal data is subject to a “purpose limitation” and that the “integrity and confidentiality” of the data is sufficiently guaranteed.
This has two practical implications for HR:
- It is obliged to apply measures ensuring that personal data can only be viewed and processed within the scope of a specific task within the company. These measures must be implemented on both a technical and organizational level.
- You must document these measures in an authorization concept, which will contain written elaboration of role and rights management.
How Role and Rights Management Works in HR
Data privacy in human resources begins even before role and rights management with the collection of data. In accordance with the principle of purpose limitation, this data must have a verifiable function, i.e., it must be required for the employment relationship. Role and rights management regulates further access and processing of this data within a company: who may access the personal data of employees and applications, how and by what means?
Let’s take a look at three examples of how access rights can be assigned:
Free guide
GDPR in human resources: there’s no way around it!!
In our guide, we show you how to establish a GDPR-compliant authorization concept in your HR department – including a guide and checklist. Click here to download it for free!
Example 1: Administrator A from financial accounting
The administrator is granted access in role and rights management to all employee information that is necessary as part of the payroll process. For example, this may include access to salary and account information as well as religious affiliation.
In addition, role and rights management also determines which type of access is granted. For instance, administrator A from financial accounting may only be allowed to view the information required to do the payroll, but not be able to change or delete it.
Example 2: Administrator B from human resources
Administrator B is responsible for managing digital personnel files as part of their job. In the context of data privacy, they search out information as needed, make changes to entries, and archive employee data. For this purpose, administrator B is assigned a profile in role and rights management that enables them to perform these tasks.
This profile also includes restrictions on the handling of personal data. This prohibition may include the possibility of deleting a complete data record or making technical changes to the data records.
Example 3: Managing director C at management level
The situation is a little different for managing director C. As the person responsible for the company, they are granted full access to all personal data in the system in role and rights management. They can view, create, modify and delete all information on employees and make technical changes.
Standardize and Cluster: Get a Better Overview in Role and Rights Management
From the three examples mentioned above, you could conclude that an individual profile is created in role and rights management for all employees who come into contact with personal data, precisely defining their respective access rights. Although such an approach would be GDPR-compliant, it would be far too time-consuming in practice, as individual roles would have to be defined for each and every employee.
It is far easier to create standardized roles that cover all relevant task areas in the company relating to personal data. For these standardized roles, GDPR-compliant access rights, which are required to perform the respective tasks, are then defined in each case. In the end, this allows specific employees to be assigned these roles.
Free guide
GDPR in human resources: there’s no way around it!!
In our guide, we show you how to establish a GDPR-compliant authorization concept in your HR department – including a guide and checklist. Click here to download it for free!
The benefit of this approach is that when employees join the company, change roles or leave the business, they are simply assigned an appropriate role profile or lose their access rights altogether.
With regard to the examples mentioned above, you could create three different roles and assign access rights to them::
- Role 1: Financial accounting
Access right: Query data - Role 2: HR processing
Access rights: Query data, create data, modify data - Role 3: Management
Access right: Full data access
Digital Identities: Access Rights Don’t Only Apply to Individuals
Many processes in companies today run digitally. Personal data is processed, transferred, retrieved and stored using technical infrastructure consisting of both hardware and software. Consequently, the GDPR stipulates that role and rights management in HR not only affects individuals but must also include software programs and devices.
For this reason, the roles formed as part of role and rights management are also referred to as “digital identities”. These apply to software applications and devices as well as to people.
Data Protection in HR: The Digital Personnel File Becomes Commonplace
At first glance, the structure of GDPR-compliant role and rights management in HR described here sounds like a complicated and time-consuming process. However, the requirements of the GDPR have been designed in such a way that they can be implemented very easily using digital tools.
Building on the digital personnel file, you can very quickly set up a software-based authorization concept for role and rights management in your business. Once you’ve set up an authorization concept and implemented it in your company, you’ll not only have taken a major step towards meeting the legal data protection requirements; you’ll also gain a much greater degree of transparency and control when handling sensitive employee data.