The Data Protection Act 2024 (DPA) is now in effect, and all companies must comply with its requirements or face serious consequences, including substantial fines and potentially a loss of credibility and reputation.
But surely, data protection is about customer data – so why are we talking about data protection for HR?
A significant amount of protected data is gathered throughout the employee lifecycle – from recruitment through to an employee’s exit and even after they’ve left. This includes personal data such as names, dates of birth, qualifications, and work performance, as well as sensitive information like medical records, payroll details, and identification. The information isn’t only collected from employees, but also from past employees, candidates, consultants, and temporary workers – and all of it is covered by the new DPA. Therefore, the HR department or individual responsible for handling this information plays a crucial role in protecting it – whether it is in physical or electronic form – and ensuring its accuracy and security.
It is worth noting that the new Commission for Data Protection has not yet provided specific guidance on what organisations must do, or how provisions should be interpreted. However, it is reasonable to look at how data is managed in countries with more mature data protection frameworks. While our DPA is not a replica of POPIA or the GDPR, best practices can be adopted from them.
Who is responsible for data protection and privacy, and what are the challenges for HR?
Firstly, the responsibility lies with every HR professional. They need to understand their duties in handling and sharing data – whether in a large or small organisation – and ensure they are complying with DPA requirements.
As HR professionals, we collect a substantial amount of personal data. Walk into any HR office and you’ll likely find a cabinet – physical or digital – full of personal information on both current and past staff. This data helps ensure staff are paid correctly, receive benefits, and meet legal requirements. However, do we need all this data? Have we considered how long it’s stored, how it’s shared internally, or how it’s disclosed to third-party organisations? Under the new DPA, these are just a few of the factors we need to assess.
The DPA emphasises knowledge, protection, minimisation, and reasonableness. Let’s consider the types of data collected during typical HR processes in the employee lifecycle.
Recruitment and Selection
Candidates usually submit CVs, cover letters, and copies of qualifications. The HR department must consider how this data is used, shared internally, and how long it is retained.
Onboarding
A wide range of data is collected during onboarding – some of it falls under the DPA’s definition of ‘sensitive data’, such as medical aid applications, banking details for payroll, and signed contracts. HR must consider how this data is gathered, how it is shared, and with whom. A key principle of the DPA is that employees must be informed about what data is collected, how it will be used, with whom it will be shared, and how long it will be retained. HR should therefore assess whether contracts need to be revised or whether addenda are necessary.
Third-Party Service Providers
If you use third parties – such as medical aids, insurance firms, payroll services, or consultants handling work and residence permits – do you understand the role each one plays in terms of DPA compliance? How is employee data processed and stored by these providers?
Learning and Development
Training and development involves collecting personal information for course registration, applications for HRDC reimbursements, and records of additional qualifications. How is this information handled in your organisation?
Performance Management
Whether through routine performance reviews or in disciplinary or grievance procedures, more personal data is collected. What information are we storing, and is it necessary? How is it stored, who has access, and who needs to see it – e.g. line managers?
Separation
When an employee leaves, questions arise: What information should be retained, for how long, and what should be securely destroyed?
All of these situations present challenges for HR practitioners to critically assess which data is essential for operations and what is being stored simply because “that’s how we’ve always done it”.
Other challenges include:
- Understanding the purpose of retaining personal data and ensuring compliance with the new Act.
- Securely disposing of personal or sensitive data that is no longer needed.
- Informing current and future employees about how their data is used, stored, and protected.
- Updating existing HR processes such as contracts, policies, onboarding and offboarding procedures.
- Preparing to handle employee data requests – can you quickly identify all relevant records?
- Knowing with whom the data is shared, and how it is stored, protected, and processed.
For organisations using HRIS systems or transferring data acr6-Point Plan for HR Practitionersoss borders to regional or head offices, an entirely new set of considerations arises.
If your HR systems are disjointed or siloed, this can lead to inefficiencies and compliance risks. HR professionals must understand the new law’s requirements and ensure they comply. As custodians of employee data, HR must lead by examp6-Point Plan for HR Practitionersle in protecting personal data.
Speak to Premiere if you need assistance in mapping your data or processes, identifying gaps and touchpoints, and determining how best to comply with the new Data Protection Act.
Download our FREE 6-Point Plan for HR Practitioners here.
To learn more, contact us on 395 2878, via WhatsApp on 72113460, or via email: hr@premiere.co.bw
