Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

General Data Protection RegulationLatest NewsData protection

GDPR: Compliance cheat sheet for HR departments

by Agata Nowakowska 3 Sep 2018
by Agata Nowakowska 3 Sep 2018

HR can play an important part in ensuring compliance with the GDPR, helping to avoid thousands of pounds in fines for data breaches. Agata Nowakowska reminds employers of the day-to-day changes that need to be made, if they have not already done so.

Since the General Data Protection Regulation (GDPR) was introduced on 25 May there has been a sharp increase in complaints to regulators. According to law firm EMW, the Information Commissioner’s Office received 6,281 breach notifications between 25 May and 3 July – an increase of 160% on those received in the same period in 2017.

GDPR

How to develop and implement a General Data Protection Regulation (GDPR) compliance programme

How does the GDPR apply to businesses outside the EU?

For organisations that are not yet compliant, a GDPR fine is a significant risk. Unfortunately for HR departments, many of the changes that need to be made fall on their shoulders.

One of the biggest challenges for HR professionals, especially those who deal with job applicant data, is assuring an organisation has clear consent from the data subject. Consent must be an active and affirmative action by the individual, not a passive or tacit acceptance. Consent can be removed by the individual as they see fit, further complicating matters.

Controllers must keep a log of when consent was given and when it was rescinded. A quick win is to eliminate pre-agreed options from company literature and instead obtain unequivocal consent from the individual.

Beyond consent

But the impact for HR goes beyond consent at the application stage. HR departments work with all types of data, not just from current employees but former and prospective ones too.

Often, information will come electronically, via online forms or emailed documents, but paper filing is still commonplace. It is important to keep hard copies and deal with any non-compliant paperwork immediately – this typically means disposal. Organisations should also consider moving away from paper-based documents.

HR departments should focus on training to mitigate legal, financial and reputational risks. Not only will training mean employees are aware of how personal data should be handled, but it will increase accountability.

While the above measures are important, there are several more pressing concerns that HR departments need to resolve. These are:

  • Recruitment – Do applicants receive an appropriate privacy notice, detailing how, why and what their data will be used for? Is the data collected absolutely necessary? Are background checks proportionate and carried out only once a job offer has been made?
  • Subject access – Is the organisation’s procedure robust enough to manage access requests? Can it disclose these transparently?
  • Impact assessments – Does the organisation have a procedure in place to review the impact a new project or activity would have on data security and privacy? Is the project at risk of contravening the data subject’s rights or the GDPR as a whole?
  • Data retention – As per the principle of data minimisation, can any data held on file be disposed of? Is the wider company aware of where data may be held, and therefore liable under GDPR?
  • Third parties – Does the company work with any third parties? Are they compliant? Do contracts expressly outline the limits and responsibilities of each party under GDPR?

Is a data protection officer necessary?

A quick win is to eliminate ‘pre-agreed’ options from company literature and instead obtain unequivocal consent from the individual”

Employing a data protection officer (DPO) is definitely a positive step towards being GDPR compliant, but only certain organisations are obliged to do so. They might not be a full-time employee and could be a paid-for service that is used when required. An organisation will need to appoint a DPO when:

  • The data processing is carried out by a “public authority”. This definition is not clearly defined within the regulation, which suggests it should be set out in national law
  • Its core activities require consistent and systematic monitoring of data subjects on a large scale. These core activities can be otherwise read as the functions necessary to achieve the organisation’s goals
  • When core activities involve extensive processing of sensitive personal data.

To ensure compliance with GDPR, HR departments need to open up dialogues about data protection with colleagues and embrace technology to keep data secure. Through this, and proper planning, HR departments can make sure their organisations do not fall foul of the regulation.

Agata Nowakowska
Agata Nowakowska

Agata is area vice president for the UK at training provider Skillsoft EMEA.

previous post
Migration experts highlight Brexit risks for low-skilled jobs
next post
‘Caste’ not a protected characteristic: implications for employers

1 comment

Avatar
Agata 2 Nov 2018 - 3:24 pm

Employers can barely rely on consent in the context of employment!

Reply

Leave a Comment Cancel Reply

Save my name, email, and website in this browser for the next time I comment.

You may also like

Queen’s Speech: Exclusivity contracts for low-paid workers to...

9 May 2022

Ikea France fined €1m for spying on staff

15 Jun 2021

Goldman Sachs orders staff to disclose vaccine status

11 Jun 2021

Rail staff falsely promised bonus in cyber security...

11 May 2021

Could a blockchain health record help HR handle...

15 Mar 2021

Employee surveillance: getting the balance right

22 Jan 2021

Ensure workers have right to privacy when work...

20 Jan 2021

Vaccination and data protection: What do employers need...

18 Dec 2020

Seven key employment law cases from 2020

17 Dec 2020

Uber sued for ‘automated’ dismissals

27 Oct 2020
  • What it really means to be mentally fit PROMOTED | What is mental fitness...Read more
  • How music can help to ease anxiety at work PROMOTED | A lot has happened since March 2020, hasn’t it?...Read more
  • Why now is the time to plug the unhealthy gap PROMOTED | We’ve all heard the term ‘health is wealth’...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2022

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2022 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+