Compliance

How can you achieve GDPR compliance?

HUMAN Resources have a vital role to play in ensuring compliance with the GDPR regulations – and can help to avoid thousands of pounds in fines for data breaches.

Since the General Data Protection Regulation (GDPR) were introduced on 25 May 2018, there has been a sharp increase in complaints to regulators.

For organisations that are not yet compliant, a GDPR fine is a significant risk.

To avoid the risk, many of the changes that need to be made fall on the HR department.

The importance of obtaining consent clearly

One of the biggest challenges for HR professionals, especially those who deal with job applicant data, is assuring an organisation has clear consent from the data subject.

Consent must be an active and affirmative action by the individual, not a passive or tacit acceptance. Consent can be removed by the individual as they see fit, further complicating matters.

Controllers must keep a log of when consent was given and when it was rescinded.

A quick win is to eliminate pre-agreed options from company literature and instead obtain unequivocal consent from the individual.

Beyond consent, training & mitigating risks

The impact for HR professionals goes beyond consent at the application stage.

HR work with all types of data – from current and former employees and prospective ones too.

Information will often come electronically, via online forms or emailed documents, but paper filing is still commonplace.

It is important to keep hard copies and deal with any non-compliant paperwork immediately – this typically means disposal.

In our experience, it would be wise for businesses and organisations to consider moving away from paper-based documents as it can help to ease the admin burden.

Focus should be placed on training to mitigate legal, financial and reputational risks. This will mean employees are aware of how personal data should be handled and increase accountability.

Other important compliance areas for HR

Recruitment

Do applicants receive an appropriate privacy notice, detailing how, why and what their data will be used for? Is the data collected absolutely necessary? Are background checks proportionate and carried out only once a job offer has been made?

Subject access

Are your procedures robust enough to manage access requests? Can you disclose these data requests transparently?

Impact assessments

Do you have a procedure in place to review the impact a new project or activity would have on data security and privacy? Is the project at risk of contravening the data subject’s rights or the GDPR as a whole?

Data retention

As per the principle of data minimisation, can any data held on file be disposed of? Are you aware of where data is held? And where you could be liable under GDPR?