What Does GDPR Mean for HR?


In just a couple of months’ time, on May 25th 2018, the EU will implement its General Data Protection Regulation (GDPR), governing the way in which businesses obtain and store personal data on their employees. Regardless of the outcome of ongoing Brexit negotiations, the UK must comply with the new legislation as it will still be a part of the bloc at the time of implementation.

As those likely to be held principally responsible for ensuring compliance with GDPR, the HR department and their processes will be affected in a number of ways. First and foremost, HR will have to analyse existing data protection practices within the company and identify any potential areas of concern. These are most likely to fall under the following categories:

1. Consent

While businesses have been required to obtain permission to store personal data for many years, the new legislation requires that such consent be “specific, informed and unambiguous”. This will most likely mean that any contracts or consent forms you currently use should be reworded to make your intentions explicitly clear. Furthermore, employees will also be afforded the opportunity to withdraw their consent at any time, meaning your internal systems must be capable of dealing with such demands.

2. Purpose

The aforementioned rewording of contracts and consent forms should also include the explicit purpose for which the data is being collected and/or stored, and the employer will now be legally prohibited from using that information for any other purpose.

3. Requests

Employees must also be informed that they are entitled to access any data which the company holds on them. This can be done by submitting a Subject Access Request (SAR), and from the introduction of GDPR onwards, will be free of charge (the previous maximum fee of £10 per request has now been waived).

4. Retention

Companies will not be allowed to store information for longer than is strictly necessary. This means that all potential employee info from unsuccessful candidates must be deleted after the recruitment process is complete – unless specific consent to retain it has been obtained. Similarly, temporary or outgoing employee information must also be deleted.

5. Security

All data stored by the company must be safeguarded appropriately; this means encrypting all data where possible and only sharing with those members of the company on a need-to-know basis. If using any external third parties to store or transmit data, it is the responsibility of the company to ensure the third party has relevant security measures in place.

6. Breaches

After the introduction of GDPR, all breaches of data security must be reported to the individual in question within 72 hours of the breach being identified. If your business stores a significant amount of sensitive data, it may be necessary to appoint a Data Protection Officer to oversee security and prevent any breaches from occurring.

7. Review your HR department today

Businesses found to be in violation of the new rules can face fines of up to €20 million (£17.7 million) or 4% of annual turnover (whichever is greater). Clearly, there is a lot at stake and it’s imperative you ensure your HR department is up to speed when it comes to preparing for GDPR.

For advice on improving your HR services and bringing your in-house practice into line with the new legislation, get in touch with us today.