March 29, 2019

GDPR: Who Does What?

by Jochem de Boer    

In an ever more digitalised labour market, protecting worker data can be complicated. When there are a number of different players involved in managing the talent supply line and total workforce, it can be even more confusing. As members of the World Employment Confederation (WEC) scratched their heads in response to client questions on the application of GDPR, they pooled their expertise and issued Guidelines determining roles and responsibilities for each party in the provision of HR services.


When the European General Data Protection Regulation (GDPR) came into force in May 2018 the World Employment Confederation (WEC) received signals from the market that HR services providers and their clients were uncertain as to their respective responsibilities regarding the protection of personal data. This led to two problems: Firstly, players allocated responsibilities that were detrimental to the protection of workers’ personal data, compliance with GDPR and a level playing field; and secondly, this uncertainty led to unnecessary burdens on the use and sharing of personal data to ensure the optimal deployment of talent.



Client becomes supplier?!


To compound things, national data protection authorities (DPA) also started to weigh in. Suddenly, the Polish DPA thought that the client of an employment agency was a data processor on behalf of the employment agency. Effectively meaning that the client was under the direct control of the employment agency with regards to the protection of personal data of the deployed agency workers. In short: the client would have become a data protection supplier to the employment agency.


This created further confusion, with the individuals involved, effectively needing to know which party held their data and was responsible for it. The growing disarray also risked decreasing the use and acquisition of compliant HR service providers.  In attempting to implement GDPR, national data protection authorities did not give adequate thought to the sound functioning of labour markets, services and regulation. This prompted WEC to act in order to ensure appropriate data processing within the HR services industry – not only to the benefit of the workers involved but also to safeguard the sector’s reputation as a responsible service provider.


Saving money and sleepless nights


WEC’s taskforce of data protection specialists drafted and established a guidance document to handle the allocation of roles and responsibilities with regards to data protection. ‘The WEC guidelines on the allocation of “Independent Controller” or “Processor” as HR-Provider’ provide a description of various well-known typical HR services, such as recruitment, agency work, career management, outplacement and different variations of total talent management (MSP, RPO and Vendor management). Based on these descriptions, roles and responsibilities with regards to data protection are allocated. This should support HR services providers and their clients in implementing the protection of workers’ data depending on the relationship in place.


By allocating this appropriately, parties reduce the risk of being accountable for each respective (mis)management of personal data. They also ensure that each party defines its own purposes and grounds for the personal data it wishes to collect and use. Assessing of the use of personal data is clearly a goal for lawmakers, DPAs and GDPR. It allows for the identification of data one doesn’t need – which is beneficial for two reasons. Firstly, you do not have to worry about losing, managing, or securing data you do not have; nor do you have to spend vast resources on it.  So, getting GDPR right saves both money and sleepless nights.


High-level versus tailored


The GDPR is a broad, high-level Regulation, which does not provide concrete guidance for all situations and sectors. With its own guidance, WEC hopes to support the protection of labour market personal data and compliance with GDPR. Obviously, these guidelines have no legal value, and the actual provision of services on the ground determines the compliant allocation of responsibilities. Our GDPR guidance should in no way hamper clients and HR providers in tailoring their relationships in a way that optimises the Human Resource needs of clients. Instead, the guidelines serve to promote and support an informed conversation on the allocation of data protection responsibilities between clients and HR providers. It also seeks to show regulators where labour market services and data protection intersect and hence serve to ensure the protection of personal data.


As labour market personal data is evermore digitized, so the risks related to its use or disappearance are of growing concern. Employers and HR providers have a responsibility to ensure the confidentiality of workers and society. Taking on board the adequate and compliant protection of personal data in the delivery and procurement of HR-services makes common sense and is a necessary step. The World Employment Confederation supports this and is working to ensure personal data is leveraged to the benefit of both workers and businesses.


Jochem de Boer    

Global Public Affairs Manager, World Employment Confederation

@ JochemPdeboer


PDF download