With so much to do in preparation for the new General Data Protection Regulation (GDPR) changes coming in May 2018, we are hoping to demystify HR’s relationship with the GDPR and help them to get on better terms…

What is the GDPR?

The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.

Penalties for non-compliance with the new laws will be in place from 25 May 2018. We expect some high-profile cases to emerge as a result of these changes – so don’t let that be you!

What does data protection have to do with Human Resources?

HR deals with a substantial amount of personal data and has a responsibility for maintaining it and keeping it safe.

When employees give over their personal details, there is an expectation that the information will remain confidential and be shared only on a need-to-know basis.

According to our friendly experts at CIS Ltd, who have kindly updated our team on the new regulations, there are two types of data agents: data controllers and data processors.

“Data controller” means the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing. [This is likely to be the employer]

“Data processor” means a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller. [This is likely to be Human Resources]

The onus is on data controllers and processors to analyse the private data that is currently being held by the organisation, and to review the consent procedures by which employees agree to the retention of their personal data.

All businesses and organisations that handle personal information will need to appoint a Data Protection Officer (DPO) to manage and enforce compliance with the GDPR.

Be aware

Collecting the following data is now prohibited, without explicit consent from the individual and sufficient justification for holding this information:

• Race • Ethnic Origin • Political opinions • Religion • Philosophical beliefs • Trade union membership • Genetic data • Biometric data • Health data • Concerning a natural person’s sex life • Sexual orientation

Conditions for relying on consent

  • The controller must be able to demonstrate that the data subject has consented to the processing (Ticking a consent box is still valid)
  • Written consent must be clear, intelligible, easily accessible, and distinguished from other items in a document, or else it is not binding;
  • Whether contract performance is conditional on consent to processing data not necessary for the performance of the contract;
  • Data subject must be able to easily withdraw consent at any time;

Eight rights of data subjects GDPR Chapter III

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object
8. Rights in relation to automated decision making and profiling

Data breaches

Once a data breach is discovered, there is an obligation for data processor to notify the data controller as soon as possible.

When a data breach has occurred, there will be an obligation for data controller to communicate a personal data breach to data subjects without undue delay.

This, however, does not apply where the lost data was already encrypted. Therefore, encryption should be one of your first lines of defence.

Using technology to enforce GDPR

Encryption software is a good first step, as it can help secure and encrypt personal data, helping to ensure that it remains safe and unreadable outside of the designated user group.

Sophos SafeGuard 8 comes well recommended by our GDPR advisors.
A video overview to SafeGuard 8 can be seen here:   https://www.youtube.com/watch?v=GHkwHDxkX2Y 

CIS Ltd can provide further guidance on technology which may suit your business, as well as help with penetration testing, gap analysis and security services.

Bottom Line: The GDPR is going to change the way that HR handles data. Ensure that you seek out advice in order to take action within your business.


Need some help? People Business will be happy to offer assistance in the above, please contact us on 01932 874944.