Ensuring GDPR compliance from a human resources perspective

12 July 2017 Consultancy.uk 5 min. read

GDPR has in recent months taken the headlines across media outlets, from technology and risk to compliance and human resources. With the new regulations now less than 12 months away, Julie Lock, Service Development Director at human capital consultancy MHR, looks at what GDPR is and what organisations should be doing from a HR perspective to ensure compliance. 

For those organisations who are not planning to become GDPR ready and for those who had started GDPR readiness then stopped when the Brexit results were announced let’s de-bunk the myth that because we are exiting the EU we do not need to be GDPR compliant because we do. The Queen referred to GDPR in her speech on 21 June 2017 stating: “To implement the General Data Protection Regulation and the new Directive which applies to law enforcement data processing, meeting our obligations while we remain an EU member state and helping to put the UK in the best position to maintain our ability to share data with other EU member states and internationally after we leave the EU.”

On 25 May 2018 GDPR will apply to any company based in the EU and/or processing the personal data of EU citizens, leaving very few companies exempt from the obligations of this new regulation.

What questions should you and your HR team be asking?

HR hold and manage endless amounts of employee information; personal data. For GDPR readiness, organisations firstly need to assess if all the information held is necessary. There are a few questions to consider. 

Ensuring GDPR compliance from a human resources perspectiveWhat are your legal grounds for processing the data? How is it secured? How long do you keep it for? What happens if an employee wants to evoke their right to be forgotten, what is your plan? How do you inform employees why you need specific information and what you are going to do with it? Can you prove that you have not breached an individual’s information? And more importantly, do you know what personal data you process? Is it sensitive?

If you are not asking yourself these questions yet, now is the time to start.

Do you need a Data Privacy Officer?

Public authorities and private companies involved in regular monitoring or large-scale processing of sensitive data are required to appoint a Data Privacy Officer, whose task it is to inform and advise employees handling data on GDPR obligations, monitor compliance and co-operate with the data protection authority (ICO in the UK). Data privacy experts are predicting a Europe-wide shortage of suitably skilled Data Privacy Officers (DPO) by the time the regulations come into force in May 2018.

If you feel your organisation will benefit from employing a DPO and you have yet to recruit one, you need to act fast.

What about the data itself?

Finally, you need to understand what personal data you process, why you process it, how and who processes it and importantly the legal basis used to qualify the processing. You must provide adequate GDPR training to staff handling or managing personal data so they can recognise and address data breaches, carry out a maturity audit and implement recommendations. 

There is still a fair amount of work to be done by organisations to ensure they are GDPR compliant

You also need to assess if you have:

  • Clear, concise and adequate use of privacy notices
  • A breach management strategy which meets the new compulsory reporting conditions
  • Ability to fulfil data subject rights; including access and management of the withdrawal of consent
  • Data processing maps to demonstrate and manage privacy risk

Business readiness

With so many conflicting reports in the media about GDPR, MHR recently carried out a survey of Heads of HR, Payroll Managers, IT and Financial Directors to determine GDPR readiness. The findings revealed that 68% of respondents had not yet received any GDPR awareness training. A further 53% have yet to access and appoint a Data Privacy Officer. Given the predicted shortage of suitable candidates for the role of Data Privacy Officers, the longer organisations leave it to recruit, the harder the challenge will become for HR. 

So to summarise, there is still a fair amount of work to be done by organisations to ensure they are GDPR compliant. A maturity audit in the first instance will help to identify areas of concern and define process changes. Organisations also need to equip staff on GDPR through adequate training – understanding that the highest percentage of breaches reported tend to be caused by human error

Related: Five critical challenges related to becoming GDPR compliant.