Data protection and security in human resources 5 Tips for GDPR Implementation in SAP HCM
Especially in human resources, it is important that companies adhere to the GDPR requirements for the protection of personal data. This also applies to the use of HR software such as SAP HCM for human capital management. You can find out how the specifications can be implemented effectively within the solution here.
Companies on the topic
Whether job applicants or long-term employees, the human resources department must ensure the protection of the data collected.
In the first two years after the General Data Protection Regulation (GDPR) took effect across the EU at the end of May 2018, the authorities have still been relatively reluctant to impose sanctions. But in the meantime, reports are growing about sometimes hefty fines, sometimes in the millions, for example at H&M. As reported by Internetworld, the Swedish fashion house is said to have illegally collected sensitive personal data of employees, including health data.
According to the law firm DLA Pieper, since the introduction of the GDPR, around 160,000 data breaches have been registered in the 28 EU countries, as well as in Norway, Iceland and Liechtenstein, which have signed up to the regulation. According to Bitkom, 79 percent of German companies see compliance with data protection as the biggest challenge when using new technologies.
Small and medium-sized companies in particular still feel overwhelmed by this and regard the proper storage of data as the biggest hurdle for the introduction of new HR systems such as SAP HCM. There is often a lack of know-how and personnel to build up one’s own competencies. Or there is a lack of the necessary budget to employ external consultants.
As a result, companies sometimes react excessively to the GDPR and even stop operating websites. Many of the SMEs also see requirements such as information, documentation and information requirements as burdensome. Many of the software solutions themselves already offer means for GDPR compliance. This is especially true for SAP HCM.
In the following, companies receive five tips on how to optimally use the HR solution of the leading German software company to comply with GDPR compliance:
1. Use SAP ILM
The product SAP Information Lifecycle Management (ILM) stands for one of the leading lifecycle management systems and is available free of charge with every ERP license from Walldorf. With the archiving objects contained in SAP ILM, it is easy to establish rules for the retention and deletion periods in accordance with the General Data Protection Regulation.
Every applicant or former employee has the right to delete his data. Customer-specific requirements such as different regulations for different booking circles, archiving objects for customer-specific or personal information types and tables can also be mapped with SAP ILM.
2. Regularly analyze your HCM data
The analysis of the data from the respective HCM system from SAP is very important in order to be able to completely prove that there is no misuse, even if it is only accidental. Because ignorance or oversight does not protect against punishment according to the GDPR. The makers of the EU have been very strict about this. For the analysis of personal data from the HCM system, valantic people has developed the free “ILM Analyzer” and can also set it up on request so that all customer-specific requirements are met.
3. Place the right emphasis
With regard to the GDPR, it is important not to lose sight of the actual goal. This includes detailed information lifecycle management with a suitable concept for the timely deletion of the personal data of applicants and former employees.
When implementing it, it is always important to consider your own requirements. In addition, there are comprehensive test runs. Because just like at Berlin’s capital airport BER, which currently employs thousands of extras, it is better to test once more than to have to check afterwards, which can be really expensive in the case of the GDPR and other guidelines.
4. Lock data before you delete it
Before you actually delete the data, you should first lock it with temporary permissions. Of course, this stands and falls with a coherent authorization concept. External specialists help with the implementation and examine existing concepts in order to supplement these, if necessary, with further permissions or technical points.
5. Always rely on full transparency
In order for the own SAP HCM system to withstand a review by the supervisory authorities, it should be ensured that all processes, including data deletion, are valid and transparently documented. This includes the time of data deletion, checking the deletion logs, acceptance and forms. It is also important to be able to provide complete information on when and how personal data was included in the programme – manually or by integrating job advertisements on relevant platforms.
Conclusion and Outlook
The protection of personal data is particularly important in human resources. As the leading outsourcing HR software, SAP HCM is GDPR compliant from the outset. However, the Information Lifecycle Management (ILM) free of charge with SAP ERP is a useful addition. To be absolutely sure, companies or their HR departments can have their HCM system set up by an expert or undergo a review.
Consulting companies have the expertise in the field of human capital management in order to meet future requirements. Although the GDPR has already been largely concluded in 2016 as an EU directive, it will remain a process, as the subsequent amendments and additions show. The same applies to country-specific data protection laws. Specialists will therefore continue to be needed to comply with all guidelines and laws in the field of HR/HCM software.
* Darko Kopcic is Sales Manager at valantic people and focuses primarily on topics related to human resources management.