GDPR Bitesize: Key Issues for HR

United KingdomScotland

Welcome to our collection of law-now updates on the HR aspects of GDPR.

We appreciate that when it comes to GDPR compliance, it can seem like an overwhelming task. With that in mind we have broken this topic down into manageable – bitesize - sections, and provided a high-level and practical route map to compliance.

This series highlights the key changes for HR. It does not seek to cover issues like international data transfer, processing contracts or data privacy impact assessments, which will generally be picked up as part of an organisation’s wider GDPR planning. These are all areas we and our colleagues can assist with where they are relevant to your HR project.

While the GDPR introduces a new layer of obligations for HR teams, it builds on the existing data protection regime. Businesses should not therefore be starting from scratch, however there are important changes that need to be incorporated into systems, processes and approach.

Perhaps one of the most important changes is the cultural shift that the GDPR is seeking to achieve. In the digital economy that we now live in, the aim is to promote transparency and drive accountability. Employers need to move to a mind-set whereby they acknowledge they are the custodians of the data they hold, and recognise that employees - as data subjects – have a number of new rights reflecting this (going beyond although still including the vital right of subject access).

As we explain in this series, the first step for HR is a data audit – mapping out how your organisation processes personal data, why you do this and where potential compliance gaps might exist. An audit serves many purposes, and one of these is to feed the ‘privacy notice’ that will have to be issued to all employees and other workers. Many organisations are familiar with these for their customers, but have not issued them to their workforce (or at least not in any detail as will now be required). That approach needs to change.

Your action checklist should also include rethinking the basis of processing, as discussed in our update on moving away from consent, as well as revised subject access procedures and new policies on data protection and retention periods, to name but a few examples!

We can assist with all aspects of compliance, and would be delighted to discuss this with you.

Download PDF to find out more.