What GDPR means for HR departments


Change is on the horizon for HR departments throughout the EU and globally.

In less than 12 months, The General Data Protection Regulation (GDPR) will come into effect in the UK. It will effectively replace the individual laws of 28 EU member states and lead to greater data protection across the EU and UK. Significantly, the UK government has confirmed that Brexit will not affect the implementation of this new legislation and it will cause a seismic shift in the way that HR departments are run in the UK, and specifically, the way that data is handled.  

This includes how data protection regimes are implemented for employers. And how HR departments will have to respond to subject access requests from both the employer and other sources. In recent years, there have been big cyber-attacks and leaks from companies such as Yahoo, Unicredit, and TalkTalk. The new legislation has been designed to ensure that any further cyber-attacks are unable to easily access personal data. 

What is GDPR?

GDPR is a new regulation, which has been introduced by the European Parliament.

It will replace its predecessor – the 1995 data protection directive.  It has been designed to completely overhaul how businesses both process and handle customer data and information – no matter where it is stored or where they are based. Data processes will, for the first time, be required to meet direct regulatory obligations.

GDPR has been designed to ensure that the individual is put back in control of their personal data. It also prevents organisations from gathering and storing data without good reason, and that the appropriate measures have been taken to protect any data they do hold. This includes sensitive personal data.

What are the implications for HR departments?

Companies that are covered by the new GDPR legislation will be forced to be more transparent with how data is collected and handled. They will also be held more accountable. Any company found to be in breach of new rules and regulations could face a fine of up to €20 million or 4% of the company’s global revenue. Therefore, HR departments will have to update and upgrade the way that they handle and store any sensitive data about any EU citizen.

And for the first time data processes will have to directly meet regulatory obligations. The new legislation not only applies to how employee data is processed, but also how HR service providers also process data on behalf of the employer. Therefore, if any non-EU associate of a multinational company holds HR data on a central system, the new GDPR legislation will also affect them.

The main aim of GDPR is to create overarching data protection laws, which are applied to all EU member states. Arguably, this will make it easier for large multinational companies to comply with one law rather than 28 different laws for different countries. However, GDPR legislation does permit each member state to implement more specific rules with regard to how they process HR-related data. This includes: recruitment, employee performance and health and safety.

Legal obligations for HR departments

GDPR legislation gives a person more control over how their personal data is used – and how they consent to it being used and stored. Previously, a subject could not always freely consent to their data being taken. Following the implementation of GDPR on May 28th 2018, employers will need to carefully examine and explore how they process HR-related data.

The new legislation also enhances the rights of those whose data is stored. Employers will need to ensure that they have provided details about how and how they have chosen to process HR-related data. Employees will also be able to make a more informed decision about how and when to share their data. They will also have the right to request that employers erase their data about them if necessary.

Some organisations will also need to implement extra measures. These include appointing a data protection officer, carrying out privacy impact assessments and consult with data protection authorities before they are able to implement new data processing activities. Moreover, companies will be obliged to notify the data protection regulator about any data breaches. They must also inform any affected employees if the breach is likely to have affected them directly, such as their rights and or freedoms.

Businesses must mark 18 May 2018 in their calendars now, and start preparing for the inevitable.