What is GDPR - and how does it affect HR?

GDPR, which came into effect on May 25th, 2018, is a set of regulations in the European Union that aims to protect personal data and give individuals more control over its use. It has a significant impact on HR departments, as they collect and manage large amounts of personal data within organizations. GDPR applies to various aspects of HR operations, from company policies to handling contact information stored in Excel files. 

GDPR for individuals  

Under GDPR, individuals, including end-users, employees, and partners, have the right to access their personal data in an understandable format. They can request permanent deletion of their data, transfer it to another system, and be notified of any data breaches. Compliance involves ensuring the integrity and availability of HR data systems, keeping data up-to-date, and restricting access to authorized personnel. 

GDPR for organisations  

GDPR divides the responsibility for secure data management between the Controller (typically HR) and the Processor (e.g., software suppliers). The Controller selects compliant suppliers and provides them with instructions for data management. Suppliers must guarantee data encryption and security during storage and transfer, maintain processing records, and appoint a Data Protection Officer (DPO) to ensure compliance. 

GDPR for HR professionals  

In essence, GDPR regulates and protects the processing of personal data. HR professionals need to consider the following key points: 

  1. Personal data refers to any information related to an identifiable individual. 
  2. GDPR directly regulates data processors, including vendors used by HR for personal data processing.
  3. Employers must promptly report data breaches to authorities and affected employees.
  4. Companies monitoring employees' personal data regularly must appoint a Data Protection Officer. 
  5. GDPR gives employees more control over their data, including access, rectification, deletion, and withdrawal of consent. 

HR professionals can only use data for the specific purpose given and must obtain explicit consent from employees. GDPR applies to all employers with EU-based employees, regardless of their location. Offshoring HR functions requires proper data mapping and informing employees if their data is transferred to countries without adequate privacy laws. Employers must ensure sufficient measures and risk assessments are in place to secure such transfers. 

The Employee Privacy Notice is crucial for HR as it informs employees about data processing. It is mandatory under GDPR and emphasises fair and transparent processing of HR-related data. 

Are you curious to find out if your company is on the right track for GDPR compliance? Make sure to download our GDPR checklist which will help you identify all data storage locations, enabling you to ensure compliance of Processors by engaging suppliers and checking for ISO certification.