HR can play an important part in ensuring compliance with the GDPR, helping to avoid thousands of pounds in fines for data breaches.

Since the General Data Protection Regulation (GDPR) was introduced on 25 May 2018 there has been a sharp increase in complaints to regulators. The Information Commissioner’s Office received 6,281 breach notifications between 25 May and 3 July 2018 – an increase of 160% on those received in the same period in 2017.


For organisations that are not yet compliant, a GDPR fine is a significant risk. Unfortunately for HR departments, many of the changes that need to be made fall on their shoulders.

One of the biggest challenges for HR professionals, especially those who deal with job applicant data, is assuring an organisation has clear consent from the data subject. Consent must be an active and affirmative action by the individual, not a passive or tacit acceptance. Consent can be removed by the individual as they see fit, further complicating matters.

Controllers must keep a log of when consent was given and when it was rescinded. A quick win is to eliminate pre-agreed options from company literature and instead obtain unequivocal consent from the individual.

Beyond consent

But the impact for HR goes beyond consent at the application stage. HR departments work with all types of data, not just from current employees but former and prospective ones too.

Often, information will come electronically, via online forms or emailed documents, but paper filing is still commonplace. It is important to keep hard copies and deal with any non-compliant paperwork immediately – this typically means disposal. Organisations should also consider moving away from paper-based documents.

HR departments should focus on training to mitigate legal, financial and reputational risks. Not only will training mean employees are aware of how personal data should be handled, but it will increase accountability.

While the above measures are important, there are several more pressing concerns that HR departments need to resolve. These are:

  • Recruitment – Do applicants receive an appropriate privacy notice, detailing how, why and what their data will be used for? Is the data collected absolutely necessary? Are background checks proportionate and carried out only once a job offer has been made?
  • Subject access – Is the organisation’s procedure robust enough to manage access requests? Can it disclose these transparently?
  • Impact assessments – Does the organisation have a procedure in place to review the impact a new project or activity would have on data security and privacy? Is the project at risk of contravening the data subject’s rights or the GDPR as a whole?
  • Data retention – As per the principle of data minimisation, can any data held on file be disposed of? Is the wider company aware of where data may be held, and therefore liable under GDPR?
  • Third parties – Does the company work with any third parties? Are they compliant? Do contracts expressly outline the limits and responsibilities of each party under GDPR?

Get in touch with Anota, to hear how we can help you with GDPR compliance.