GDPR For HR Departments - Make Sure You Comply


If you are on several email lists, and who isn’t these days, you will likely have experienced familiarity in the messages you have received of late. This is all because the General Data Protection Regulation, or GDPR for short, comes into effect on the 25th of May 2018.

GDPR will usher in significant changes to data protection laws across Europe, and all organisations must review:

  • What data they collect
  • How they hold this data
  • How this data is processed
  • Their communication with individuals

It is likely that businesses will have to adopt new ways of using email marketing and then holding this data. There is a need for firms to show they comply with GDPR and there are new enforcement powers to be aware of.

There is a concern that some firms will believe GDPR is solely a marketing issue. After all, a high volume of business emails are marketing emails, and it is likely that any data your firm has collected has been obtained for marketing purposes.

However, it would be wrong to say that GDPR is solely a marketing issue. In fact, GDPR is a massive issue for HR Departments. HR Departments may not be sending out emails to clients, but they do hold a lot of personal data. This isn’t just personal data for employees, it is extremely likely that HR Departments will hold information on former employees and even job applicants.

There is also the concern that this information may be located on systems that can be accessed or processed by third parties. An example of this occurrence would be where a HR Department uses an external software company to carry out payroll processing or even use a cloud-based hosting system for their own HR system.

It is the nature of what may be contained in these locations that are most concerning with respect to GDPR for HR Departments. It could be that you hold medical information of people or information pertaining to people being a member of a Trade Union.

When it comes to the implications for a HR Department, there are several key areas where you should review your actions, and if necessary, make improvements.

Focus on consent

One of the key phrases in the GDPR guidelines is the need for “clear affirmative action”. You need to make it clear why you are asking for customer information and you need to have the expressed consent of the responder. This means if you are using pre-ticked boxed or obtaining bundled consent to gather information, you should review and even remove these actions.

Offer transparency

It is clear, if you pardon the pun, that transparency is essential when it comes to complying with GDPR. You should look to provide as much information to the individual as you can. You should be able to explain why you want this information, what you are going to do with it, whether it will be held by anyone else and what storage you have in place.

Be mindful of lawful process

There are now stricter rules in place for the processing of data for new purposes and failing to comply with these issues could land your company in trouble.

Be aware of increased access rights for individuals

There is now a greater level of rights provided to individuals which will give them the right to have their data erased while also protecting them against profiling.

You should have privacy as a priority

The importance of privacy is now essential when it comes to data storage and collection. This should become part of a firm’s day to day activities. Firms will also have to show that they are compliant and will have to deal with regulators on an ongoing basis.

While all these matters are very important, it is likely that some HR Departments will not act swiftly in making changes. Therefore, there is a need to focus on the sanctions associated with failing to comply with GDPR, and these will likely see professionals act in the intended manner.

Regulators hold the power to issue fines of up to €20m or 4% of the organisations worldwide turnover for failing to comply with GDPR. The penalties associated with non-compliance will hopefully persuade many HR Departments that this is a serious matter which should be focused on before the implementation date of 25th of May 2018.

Specific matters that HR Departments should consider include:

  • In the recruitment process, do you provide applicants with notice on their data may be used?
  • Do you only collect information that is necessary?
  • If you liaise with recruitment agencies, is there a clear arrangement as to data collection and storage?
  • If you carry out background checks, are they appropriate and are they only carried out after an offer has made to the candidate?
  • Have you issued employees with a transparent notice which details how their personal data is used, while also explaining employees rights as a data subject?

GDPR is an important matter for HR Departments to consider, and there are profound consequences for a firm that doesn’t comply. If you need assistance in complying with GDPR, contact Davenport HR at and we will be more than happy to advise you on this matter.