internal threat

The impact upon HR might be the metaphorical equivalent of a tsunami – GDPR is going to force HR departments across the land, and indeed across Europe, to engage in a major re-think.


The General Data Protection Regulation, due to be enforceable from May 25th 2017, has a number of key implications for HR.

The regulation concerns data and its privacy – but not just the privacy of customers, but staff too. Rules such as ‘the right to be forgotten’ come into it and the old way of doing things just won’t be good enough.

It will not be good enough, for example, just to get staff to sign a document, giving their employer permission to do ‘this’ or ‘that’ with their data. The relationship between employer and employee is not even. The employer is in a position of strength, the employee may feel coerced into signing an agreement, even if the coercion is subtle and tacit.

This means that having an employer agree to the use of data is not sufficient protection for a company.

As the ICO, the UK regulator charged with ensuring compliance to the Data Protection Act, and now GDPR states: “If for any reason you cannot offer people a genuine choice over how you use their data, consent will not be an appropriate basis for processing. This may be the case if, for example, you are in a position of power over the individual – for example if you are a public authority or an employer processing employee data.”

The best defence a company can make to argue its use of data is acceptable, is to show the data is used to support legitimate interests – for example, essential in administering the HR requirements, or required by law.

GDPR regulation states data held must be “adequate, relevant and limited to what is necessary in relation to the purpose for which it is processed.”

But there needs to be transparency too. Privacy policies relating to data held on employees must be clearly written, easy to access and concise, for example.

There is also the issue of change. Times change, interests that might be legitimate at one point, may cease to be so at a later date, so it is essential to have policies in place ensuring data is not held when it is no longer appropriate.

One solution might be to hold regular data audits – but also to have certain procedures in place to update, and where appropriate delete data, when changes make this necessary.

Linked to this is the issue of ‘right to be forgotten.’ This rule does not only apply to deleting links from search engine results, it can apply to data held regarding staff, or former staff too. They have the right to request that data is removed, and providing such a request does not work against legitimate interests, companies must remove it.

There are also implications relating to GDPR concerning what a company should do with CVs sent in by prospective employees, whether they be unsolicited or in response to a job vacancy. If it either deletes CVs, or holds them on file for future openings, the candidates must be informed.

When screening CVs for an opening, candidates will have the right not to be omitted from consideration based on automated processing.

And finally, there is the issue of background screening. Under the terms of GDPR, background screening can only occur under very specific conditions. However, a Data Protection Bill, published in September 2017, is designed to supplement GDPR and will authorise criminal records checks to a broader selection of companies, but only under certain strict conditions. HR departments need to familiarise themselves with these conditions.

To find out more about GDPR check out the next GDPR Summit London