“Before I started the first GDPR exercise, I asked my team whether we really needed the data we were collecting and storing”, says Remko Westerbeek, who used to be the global HR Manager of a multinational climate control company, and is now coaching business leaders on people aspects. “One of the classic items HR was saving was a copy of our collaborator’s ID. It is so evident to take a copy of the ID card of a new staff member, and save it in the company files, that no one still reflects on the why.”
Do we really need to save a copy of the ID card?
Westerbeek and his team did reflect on the why, and discovered no real need for keeping such a copy. “Of course, we kept asking to see the ID card. You do want to know whether the person in front of you really is who he or she claims to be. Only when you are sure about that person’s identity, you will give the person a badge, and all the access rights to the IT systems. Security first. But, later on, no one ever checks for the ID card again. So why go through all the trouble, and save a copy?”
Westerbeek saw the challenge of those ID card copies. “The issue is that you have to save them in a safe environment. Maybe scan them. And then take care of sufficient digital security. The copy of their ID card is a sensitive document for collaborators. When such a copy would be stolen or hacked, the employer image of your company could be hurt. So I preferred not to store it and that saved me a lot of time, worry, and budget.”
Will we remember the HR promises three years after one person leaves?
There is also the very slow workflow, which is a challenge. When putting a small line in the privacy statement saying “we will delete the data three years after you leave the company”, most HR people do not realize that they are creating obligations for the long term that are not easy to follow-up, mainly because they are in itself too small to remember.
“But, three years after a person leaves the company, HR has to follow-up on the deletion of that information. The question is, will they still remember this obligation in three years? And other questions will also arise then: where is the copy of the ID card? What’s the procedure? What files and systems should we be looking into?”
Although Westerbeek could have used the Idlegcy I.CNTRL.IT business solution for this slow workflow, he preferred not to have to bother about it at all. “And so, we avoided to save the copy of the ID card, and decided to only inspect it during the recruitment process.”
Related tips
How to find out what personal data companies store on you
Idlegcy defined four shades of privacy. Most people talk about documented privacy, when they talk about the GDPR initiatives of their organization. That is only the basic shade. There are three more shades.
Four shades of privacy – safe and win-win privacy are for business winners
Idlegcy defined four shades of privacy. Most people talk about documented privacy, when they talk about the GDPR initiatives of their organization. That is only the basic shade. There are three more shades.
GDPR should be about much more than penalties
The first penalties should not drive the attention away from the essence: GDPR is about a basic human right that individuals’ data should be treated with respect.