It is extremely important for HR departments to provide a sense of trust to current and former employees, as well as applicants. Protecting personal data is a core commitment of every HR professional.
Chances are you’re well aware of the General Data Protection Regulation (GDPR) requirements and have probably taken the first steps toward compliance. But considering the scope and complexity of the GDPR compliance process, it’s not surprising to see organizations overlook some business areas during the process, especially their website.
A case of “can’t see the forest for the trees”?
HR departments everywhere are prioritizing internal policies and processes in a quest to become EU-data compliant. However, external-facing components like the corporate website are being neglected. All the focus and effort put into tightening up systems to protect employee privacy could be overshadowed if your corporate website contains personal employee data and you’re not aware of it.
This really is a case of “can’t see the forest for the trees”. When it comes to your website, chances are good that there’s a lot more personal employee data floating around than you realize—think forgotten web pages, image data, meta descriptions, PDF documents, etc. And fixing this should be a priority that is at least on par with having solid internal processes aimed at protecting your employee data.
“The Right To Be Forgotten” Applies to Your Website, Too
Let’s say an employee decides to upload a PDF file to your company’s website. That file contains information about the person who created and edited it, hidden away in the metadata. Once this file is uploaded, that information becomes visible to anyone with access to your website. If this employee decides to exercise the right to be forgotten, you will need to delete all personal data from all your systems—including your website.
At first glance, this seems like a manageable task. It’s difficult to imagine your corporate website containing employees’ personal data, but corporate websites contain more than you probably imagine.
Let’s take an example of our own: Lisa Marchand is a content strategist at Siteimprove who’s been working for the company for 18 months. In that timeframe, she’s written nine blog posts. Logically, her name is mentioned in these nine blog posts, and it can also be found on our Meet the Team page where all employees are listed. If Lisa exercises her “right to be forgotten” and requests her personal data be deleted from all our systems, we would have to ensure her name is deleted from the website as well. Considering the blog posts she’s written plus the Meet the Team page, you would assume her name is mentioned around ten times on our website.
However, we can currently find 361 instances where her name is mentioned somewhere on our corporate website—in the blog posts, but also hidden within HTML, metadata, and diverse files. And beneath GDPR, personal data is regulated in all these areas.
It’s hard to imagine that locating and deleting her name from our website is a task that can be done manually. Employee names are just an example, but credit card numbers, ID numbers, or contact details are more critical data types also found on websites. While having certain employee data on your website is not necessarily dangerous, knowing where this data lives is crucial in order to meet certain GDPR requirements, such as the ability to answer to data subjects’ rights.
Stop the Tedious Tasks
Finding specific instances of personal information upon request or seeking out data when someone makes a demand to “be forgotten” is a tedious and time-consuming task. However, this is necessary if you want to have full control over your employees’ data and meet GDPR requirements. The good news is that automation can be of great help here.
Siteimprove GDPR can help round off your compliance process by making it easy for you to control, monitor, and protect personal data on your websites. Instantly searching for and finding specific data like names or ID numbers across your websites minimizes the risk of fines, and sets your organization on the way to GDPR compliance.
Ana Urcelay Lorenzo is the product marketing specialist for Security at Siteimprove. She collaborates closely with every department to understand the ins and outs of GDPR and its impact on organizations' websites.