· News

HR bears brunt of GDPR compliance

One year on from the introduction of the GDPR, HR professionals report feeling burdened by the demands of data compliance and fear it could get worse post-Brexit

More than three-quarters (76%) of HR professionals said that the GDPR has imposed a significant burden on their HR department, according to Cezanne HR.

Its research, which polled 250 UK HR professionals and marks one year since the GDPR came into force on 25 May 2018, found the same proportion (76%) reported they were facing an increase in subject access requests (SARs) as a result of the regulation, while just over half (52%) are having to manage date deletion and anonymisation using manual or semi-manual processes.

Concerns were raised about the demands data compliance will place on the function post-Brexit, with the majority (64%) of respondents saying they believe data protection will get harder when the UK leaves the EU.

Commenting on the research, marketing director of Cezanne HR Sue Lingard said: “HR teams process huge amounts of personal data and are in the frontline when it comes to deciding what data to collect, how to manage and secure it, who should have access and how long they need to keep it for. It was inevitable that they would have to bear the brunt of compliance activities. The problem is that these activities are ongoing, so the overhead is never going to go away.”

Despite these concerns HR professionals seemed assured of their current understanding of the regulation. Almost all (95%) respondents said they feel confident in their compliance with the GDPR, while 88% said they feel confident in their understanding of GDPR legislation relating to the retention and deletion of data.

This correlated with their knowledge of data storage and data security, the research found, with 92% saying they know where their people data is stored and 86% saying they have confidence in the security systems their department has in place to protect it.

HR should not feel they have to tackle the GDPR alone, Lingard added. “In my view HR teams should be asking more of their HR suppliers – and extending access to their systems to their complete workforce, including gig workers and contractors,” she said.

“For example, most HR systems are sophisticated enough to incorporate tools that let HR teams set up rules that automatically remove or anonymise data in line with different legislative requirements. That would remove a lot of the administrative burden from HR and ensure that important compliance steps don’t get overlooked.”

Stefan Martin, a partner at Hogan Lovells, said that employers should remain vigilant when handling data, following a ruling against Morrisons last year, where a former employee leaked the details of hundreds of its employees.

"At the same time as adjusting to the GDPR employers are nervous about the possibility of vicarious liability for an employee's breach of data protection requirements, even where an employer has complied with its own obligations,” said Martin. “The Supreme Court will consider that issue in due course in Morrisons Supermarkets v various claimants but pending the Supreme Court decision employers remain at risk in class action data protection claims."

The Supreme Court granted Morrisons the right to appeal against its ruling last week.