What does GDPR mean for HR professionals and what do you need to do about it?

Posted on: 27th Feb 2018 by: Dêmos HR Solutions

GDPR for HR a blog by Demos HR Solutions
GDPR for HR a blog by Demos HR Solutions

The acronym GDPR has been on the lips of business owners in recent months, and with the effects on different organisational functions to consider, one may be forgiven for believing it should stand for Good Day to Panic & Run! But, there’s no need to worry as long as you take steps to put manageable adjustments in place that will ensure your compliance with the General Data Protection Regulation before 25th May 2018.  

This blog as been put together to specifically help you understand what GDPR means for your HR practices, with the aim of helping ensure you’re anxiety free and ready to go when the deadline arrives.

Why will GDPR affect HR?

As a data protection regulation, the changes will mean organisations will need to review how they handle the data of employees as well as job candidates, ensuring processes are put into place to guarantee compliance.  With increasingly globalised networks and a shift to online communications, GDPR is in place to protect the personal data of EU citizens and will apply even though the UK will be leaving the EU, due to the fact that at the time of GDPR coming in to force we will still be part of the EU and therefore bound by the requirements. If businesses fail to comply and are found to be in breach of the regulations, they could end up penalised as a result.

Privacy Notices

A privacy notice is used to inform people how their personal data will be used by an organisation in as transparent and accessible way as possible. In preparation for GDPR, privacy notices must now clearly outline the intended use of data, including detail such as how long the data will be stored, and whether this data is shared with other countries within and outside of the EU. Individuals should also be directed clearly to process for making a subject access request to view information about them held by the organisation.

What should we do? Job applicants and interview candidates should be directed to a privacy notice when sending personal information as part of the recruitment process. Privacy notices should also be shared with existing employees with regards to their personal employment records.

Protecting your staff

In addition to GDPR rules, it should be considered ethical that companies take full responsibility and ownership when it comes to protecting employee data, how it is kept and ensuring it is not shared. Personal data you may hold about employees and job candidates would more than likely include sensitive information such as home address, date of birth, contact details, and after recruitment, national insurance numbers and bank account details.

What should we do?  First and foremost you should review your departmental processes for obtaining, handling and storing CV’s, job applications and employee information. There are many ways you can protect this data including the implementation of encrypted passwords on secure servers and deleting data securely of unsuccessful candidates after a given period of time. You may also want to consider outsourcing a cyber security procedure and taking out cyber insurance.

New breach notification requirement

If there is a breach of data protection, GDPR provides clear guidelines on the action to take after receiving a breach notification. Businesses must inform the Data Protection Agency within 72 hours of a breach, or provide justification in the event of a delay. Businesses must also notify individuals affected by a data breach promptly and directly, particularly if the breach presents a high risk to the subject's rights and freedoms.

What should we do? If a breach originates from HR related activity, HR must liaise with legal or compliance teams immediately. HR is also likely to play a key role in the management of data breaches affecting employee data that require data subject notification. Businesses must take action to review internal HR policies, particularly internal communications, and procedures.

Right to request, review and be removed

If you currently take a ‘one size fits all’ approach to consent to hold staff data and to communicate to previous candidates or job applicants, you might need to think again. Moving forward “specific, informed and unambiguous” consent must be obtained. Current methods of gaining consent must be reviewed to eliminate any uncertainty about what data is being collected, its purpose, the length of time consent will remain valid, and the process for withdrawing consent at any time. Individuals will also be able to request at any time, to know what data you hold about them, where it is kept, and how it is used.

What should we do?  You must respond to requests and act upon them, so you may want to put in place a procedure that is shared with top level management on what to do in the event they get approached by an individual for this information. The likelihood is also, that all current staff members will need new contracts containing updated consent requests.

Data Protection Officers

Businesses that handle special categories of data or data relating to criminal convictions and offences (often included on recruitment applications) must have a designated Data Protection Officer (DPO). A DPO is someone who takes on additional responsibilities for implementing processes and monitoring compliance with GDPR and advising individuals and teams on GDPR compliant approaches to data management.  

What should we do? It may be worth considering appointing a nominated member of staff either from within your HR team or wider organisation, or someone external to the company, to act as a DPO for your organisation.


If GDPR has you tied up in knots, Dêmos HR Solutions can help untangle the complexities, and help you plan with confidence. We’re here to give advice or to support you with updating your HR policies and processes, so if you’re unsure if your business is GDPR ready when it comes to your HR function, contact Debbie on 07974 695 365 or complete our enquiry form turning your panic into Great, Done! Panic Resolved. 

Tags: GDPR Human Resources HR,