Any organisation which fails to comply with General Data Protection Regulation (GDPR) rules risks substantial fines and reputational harm. HR departments, in particular, operate under substantial responsibilities to ensure organisational data protection obligations are met.
In this guide, we discuss seven key steps for HR functions to ensure GDPR compliance through effective and robust data protection systems, practices and processes.
GDPR personal data rights
GDPR affords all individuals, known as ‘data subjects’, the following rights regarding their personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
Your organisation must actively record and be able to demonstrate its compliance with GDPR rules when processing personal data. ‘Processing’ personal data means collecting, holding, referring to, or distributing personal information.
HR professionals typically handle a vast amount of personal data across the employee lifecycle, from job applicants to current employees and former employees. This data can vary significantly and may include attendance details, sickness absence, performance history, notes made upon recruitment and sensitive personal data such as information about race, ethnicity, religion, criminal history, sexual orientation and medical history.
GDPR for HR Step 1: Assign data governance duties
Many organisations are legally required to appoint a data protection officer (DPO) to ensure GDPR compliance. This would apply to your organisation if you are:
- A public authority
- An organisation which engages in large-scale processing of sensitive personal data
- An organisation whose main operating purpose involves processing data on a large scale
Depending on the size of your organisation’s HR department, this may involve delegating data privacy compliance tasks to one or two staff members, or an entire team of employees. Either way, you should establish a leadership structure within your data management team to ensure all duties are fulfilled and accountability is possible.
GDPR for HR Step 2: Lawful processing and data minimisation
Compliance with GDPR for HR depends on ensuring all individual data-processing activities are ‘lawful’, based on one or more of the following recognised justifications. Remember that simply holding data qualifies as a processing activity.
Consent
Consent can be used as a lawful reason for processing data, providing the data subject knows precisely what they are consenting to, and the consent is given for a specific processing activity. They must be fully informed in a clear and unambiguous manner which data you are using and what you intend to do with it. Keep in mind that ‘general’ consent is not lawful; it is not enough for the data subject to consent to any and all data processing activities undertaken by an organisation. Processing data on the grounds of consent alone is risky, as the subject must actively consent to each individual activity.
Contractual necessity
Data can be lawfully processed when it is a necessary step to enter the data subject into a contractual agreement (e.g. when entering into an employment contract). GDPR rules recognise that it is impossible to enter a contractual relationship without exchanging personal data.
Legal obligations
Data may be processed lawfully if the person or organisation handling the data has a legal obligation to do so (e.g. if personal data were requested as evidence for legal proceedings).
Vital interests
‘Vital interests’ can be a lawful justification for processing data if abstaining from processing that data could result in serious harm or death to any person – not just the data subject (e.g. if a person’s medical history were required to treat them for life-threatening injuries).
Public interests
Personal data can be lawfully processed if it is necessary to promote public interests (e.g. using medical data or crime data to improve health services and public policies).
Legitimate interests
An organisation may process personal data if it has ‘legitimate interests’ which do not interfere with the data subject’s fundamental rights. (e.g. to prevent or expose fraudulent activity).
To ensure all existing data you hold and any new data you collect is processed lawfully, consider organising an HR data audit. Create a database including individual categories for the data you hold (for instance, recruitment, current employees etc). Within each category you can list which data you hold, how and where it is stored, who has rightful access to it and what the lawful reason for holding that data is.
At this stage you should seek to engage in ‘data minimisation’ by disposing of any personal data which you no longer have a lawful reason to hold.
GDPR for HR Step 3: Privacy information
Every person has the legal right to know why you are requesting certain information and what you intend to do with it. Individuals from whom you collect personal data must be informed:
- Why you are collecting the information
- What will happen to the information
- Who will have access to the information
This is known as ‘privacy information’. You have a responsibility to provide data subjects with privacy information whenever you collect personal data. Keep in mind that you are obliged to hand over this information within a ‘reasonable’ time frame and no more than one month after the data has been collected. Ideally, privacy information should be offered at the point of collection. Ensuring your organisation’s privacy information is complete and up to date is a vital step in achieving GDPR compliance.
Privacy information must be detailed yet concise and easy to understand. Include the following when writing up privacy information templates for data subjects:
- The name and contact details of your organisation and if applicable, the name and contact details of your data protection officer.
- The reason for, and lawful justification of, the processing activity.
- The length of time the data will be held.
- The data subject’s rights regarding processing, including their right to withdraw consent or complain to a data authority.
- If applicable, information stating the data subject is legally or contractually obliged to provide personal data.
It can be helpful to draw up a summarised version of this privacy information for use on recruitment forms. This would include pointing data subjects toward full privacy information which is not featured in the summary.
GDPR for HR Step 4: Review policies and employment contracts
If you have not already done so, draw up a revised data protection policy which includes details of the disciplinary procedure incurred by personal data breaches and data subjects’ rights. Then, update your employment contracts and other data collection documents to include your new privacy information. As part of your organisation-wide update, you may also consider upgrades or alterations to IT security systems and policies and devising or reviewing ‘access request’ documents.
GDPR for HR Step 5: Accommodation of data subject rights
Any person for which you hold personal data has a right to access that information at any time. GDPR rules also state that a data subject may arbitrarily request the alteration or removal of personal data, providing that does not conflict with the data controller’s legal obligations. As you have a responsibility to facilitate these requests in a timely fashion, your HR department should develop systems and procedures to accommodate the process. This will include drawing up access request forms.
GDPR for HR Step 6: Develop a personal data security breach procedure
GDPR rules demand that all organisations report certain types of personal data breach to the appropriate authority, within 72 hours of the breach being detected. You must also inform any data subjects whose personal information was involved in the breach, if there is a risk that the breach will adversely impact their basic rights and freedoms.
To ensure personal data breaches are detected as early as possible, organisations should develop and implement robust breach-detection systems. You must also have an established internal procedure which allows all employees to report data breaches quickly and effectively, as they occur. Make sure appropriate methods of communication with the data protection authority are set out in the breach reporting procedure. Note that all data breaches must be recorded internally, even if it is not deemed necessary to report them to the authority.
GDPR for HR step 7: Implement staff training
Having developed appropriate systems and procedures to ensure GDPR compliance at all stages of processing, your final provision should be the implementation of a company-wide staff training program. Not all departments and employees will have the same exposure to personal data, therefore different levels of training will likely be appropriate. Basic data protection awareness should also be added to your new employee training program. Design your staff data protection training to ensure all employees understand the organisation’s GDPR obligations, the penalties for non-compliance and the procedure they must follow when reporting possible data breaches.
Need assistance?
GDPR presents an area of acute risk for employers who typically handle and store extensive personnel-related data. Ensuring compliance is critical to avoid ICO scrutiny, financial penalties and negative press attention.
DavidsonMorris are experienced human resource professionals, and we understand the challenges of driving forward key HR initiatives against the day to day workforce management demands. We provide HR consultancy services to organisations in support of HR departments, delivering specialist expertise and guidance in areas such as data protection, enabling internal HR function to focus on the organisation’s strategic and transactional people needs.
If you have a question or need advice on any aspect of GDPR compliance for HR, contact us.
GDPR for HR FAQs
What is the GDPR, and why is it important for HR?
The GDPR (General Data Protection Regulation) is a regulation that governs the processing of personal data in the EU and UK. For HR, it is crucial as it sets strict guidelines on how employee data must be handled, ensuring privacy and protecting the rights of individuals.
Do we need employee consent to process their data?
Not always. While consent is one lawful basis for processing data, HR departments often rely on other bases such as fulfilling contractual obligations, complying with legal requirements, or pursuing legitimate business interests.
How should HR handle employee requests to access their data?
Employees have the right to request access to their personal data, known as a Subject Access Request (SAR). HR should respond promptly, within one month, providing a copy of the data along with details on how it is being used.
What steps should we take in the event of a data breach?
In the event of a data breach, HR must act quickly to assess the breach, mitigate harm, and report it to the Information Commissioner’s Office (ICO) within 72 hours if it poses a risk to individuals’ rights and freedoms.
How long should we retain employee data?
GDPR requires that personal data should not be kept longer than necessary. HR should establish clear data retention policies, keeping data only for as long as it is needed for legal, regulatory, or business purposes.
What are Data Protection Impact Assessments (DPIAs), and when are they needed?
A DPIA is a process used to identify and minimise the data protection risks of a project. HR should conduct a DPIA when processing is likely to result in a high risk to individuals’ rights and freedoms, such as implementing new HR software or policies involving sensitive data.
Is it mandatory for HR staff to undergo GDPR training?
While not legally required, it is highly recommended. GDPR training helps ensure that HR staff understand their responsibilities under the regulation, reducing the risk of non-compliance and data breaches.
Can we monitor employee activities under GDPR?
Yes, but with caution. Monitoring must be proportionate, transparent, and necessary for legitimate business purposes. Employees should be informed about what monitoring is taking place, why it’s necessary, and how their data will be used.
What should we include in our GDPR compliance policies for HR?
GDPR compliance policies for HR should cover data processing practices, employee rights, data retention, breach response procedures, and the lawful bases for data processing. Clear documentation and regular reviews are essential to maintain compliance.
Glossary
| Term | Definition |
|---|---|
| GDPR (General Data Protection Regulation) | A regulation that governs the processing of personal data within the EU and UK, ensuring privacy and protection for individuals’ data. |
| Personal Data | Information that relates to an identified or identifiable individual, such as names, addresses, employee records, and more. |
| Data Subject | The individual whose personal data is being processed, e.g., employees in the context of HR. |
| Data Controller | The entity (e.g., a business or organisation) that determines the purposes and means of processing personal data. |
| Data Processor | A third party that processes personal data on behalf of the Data Controller, often under specific contractual arrangements. |
| Lawful Basis for Processing | The legal grounds under which personal data can be processed. Common bases include consent, contract fulfilment, legal obligation, and legitimate interests. |
| Subject Access Request (SAR) | A request made by a data subject to access the personal data held about them by an organisation. The organisation must respond within one month. |
| Data Breach | A security incident where personal data is accidentally or unlawfully accessed, disclosed, or lost, potentially compromising the data subject’s privacy. |
| Data Protection Impact Assessment (DPIA) | A process designed to help organisations identify and minimise data protection risks, particularly for high-risk processing activities. |
| Consent | A freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of their personal data. |
| Right to Access | The right of data subjects to obtain confirmation that their data is being processed, access to their personal data, and other supplementary information. |
| Right to Rectification | The right of data subjects to have inaccurate personal data corrected or completed if it is incomplete. |
| Right to Erasure (Right to be Forgotten) | The right of data subjects to have their personal data deleted when it is no longer necessary, or when they withdraw consent. |
| Legitimate Interests | A lawful basis for processing where the data controller has a legitimate reason to process data, balanced against the individual’s rights and interests. |
| Information Commissioner’s Office (ICO) | The UK’s independent authority set up to uphold information rights, including data privacy under the GDPR. |
| Data Retention Policy | A policy that dictates how long personal data should be kept before it is securely deleted, in accordance with legal and regulatory requirements. |
| Transparency | A principle under GDPR requiring organisations to be open and clear with individuals about how their data is being used and processed. |
| Accountability | The principle that requires organisations to be able to demonstrate compliance with GDPR obligations, often through documentation and policies. |
Author
Founder and Managing Director Anne Morris is a fully qualified solicitor and trusted adviser to large corporates through to SMEs, providing strategic immigration and global mobility advice to support employers with UK operations to meet their workforce needs through corporate immigration.
She is a recognised by Legal 500 and Chambers as a legal expert and delivers Board-level advice on business migration and compliance risk management as well as overseeing the firm’s development of new client propositions and delivery of cost and time efficient processing of applications.
Anne is an active public speaker, immigration commentator, and immigration policy contributor and regularly hosts training sessions for employers and HR professionals
