Is your HR department GDPR-ready?

As the GDPR comes into effect, HR needs to know what data they hold, where they hold it and why they hold it

You've probably been receiving hourly emails telling you that a company values your privacy and so won’t email you again unless you specifically opt to receive their emails. It gives me a warm glow to think that after today (25 May) I won't be inundated with weekly emails from a company I once bought a pair of shoes from in 2004. And it’s all to do with the GDPR.

The General Data Protection Regulation (GDPR) is designed to protect the personal data of individuals. It imposes strict rules on how personal data is handled and secured, and provides people with rights that will keep them in control of their data.

What are the obligations for HR?

In the simplest terms, HR need to know what data they hold, where they hold it and why they hold it.

Conducting an audit is the best way to capture the information; start by asking the team what information is held and inputting this into a ‘data register’. The data register should include the legal basis for processing data, and you have to determine which basis fits which data process. In most cases if your systems and policies are well written and you have a tight approach to data control, the viable basis will be ‘legitimate interest’. It’s a legitimate interest to hold the data you need to employ and pay someone (name, address, NI number, bank details etc.), and it’s a legitimate interest to track absence data to administer your sick pay or absence policy.

Where is data kept?

Any 'hidden’ data processes, such as spreadsheets on desktops, need to be brought to light, and action taken to remove and delete. Most HR departments will have a personnel system that holds all HR data and the likely question to the software provider is 'is the software GDPR-compliant?' Generally a software product on its own is not likely to be either GDPR-compliant or non-compliant; it is a business that is compliant (or not) so it depends how that software is used and with what personal data.

For example, you might be comfortable that all data is held securely on your personnel system. But if you have a Post-it Note with your password written on it stuck to your computer screen you’ve failed. Similarly, if you religiously take photocopies of passports for right to work checks but keep them in an unlocked filing cabinet, you’ve failed.

Why are you keeping it?

Is all of the information requested (and held) strictly relevant? Application forms can ask for a lot of information that is hard to justify under the new regulations. It’s a good opportunity to look at what documents you ask applicants or new starters to complete, and ask yourself exactly what information is required, and why it is necessary to hold. Minimise the data you hold wherever possible so you’re only keeping that which is necessary to effectively run your HR department. Finally, you’ll need to make someone responsible for ensuring that the data is protected, which is often the HR manager or HRD.

Third parties

There are generally a lot of third parties with whom you’ll share information; payroll, pension providers, training companies, benefit providers, insurance companies… the list will go on. Make sure you capture which information is being passed to whom, and why. Check it’s being sent in the correct format – so encrypted and secure.

Telling employees

Providing each employee with a clearly-written statement telling them what data is held, why it is held and their rights is an important part of the GDPR. It should also include the legal basis for processing the data, the retention periods for the data, and the way to complain to the Information Commissioner's Office (ICO). It’s a fairly lengthy document and can look intimidating so I’ve taken the approach of explaining what the privacy notice is in simple terms in a cover email. I’ve explained why we hold the data (to pay you), or for legal obligations (to demonstrate your right to work in the UK), or for regulatory reasons (to ensure you have a clean criminal record).

How does an HR department get GDPR-ready?

Audit, audit, audit. Check what data you hold, check you can justify the reasons for holding and processing the data, check who has access and why, check how long the data is kept, check that people know their rights under the GDPR including rights to complain to the ICO…

…and let’s enjoy our slimmed-down email inboxes and watch to see how the law develops, in the UK and abroad.

Vicki Field is HR director at London Doctors Clinic