A guide to GDPR for the HR function
As part of our ongoing push to provide you with as much information as we can to help you prepare for GDPR we decided to break down the information based on company function.
This will form a series of one page guides starting with the HR function. Other areas will include marketing and physical security.
With the General Data Protection Regulation (GDPR) deadline just around the corner, it is important to consider how it will impact you and the way in which you collect, process and store information about the people you work with.
Any data that you collect, process and share about employees, contractors or consultants, must still comply with its six principles.
Top three preparations
There are, of course, many things that need to be done to get ready for 25 May 2018, but we have chosen to highlight three of the main ones as we see them.
Know your data
Carry out a data mapping exercise to ensure that you have a clear idea of what data you are collecting, processing and sharing. This should include identifying the lawful basis for that processing.
Implement a comprehensive induction process to ensure new starters are aware of their roles and responsibilities when handling personal data. Including data protection training relevant to their role.
Put robust processes in place for starters, movers and leavers, with clear ownership defined where they involve other functional areas in your business, for example, the IT, finance and physical security teams.
Top themes to focus on
Under GDPR it is vital that you are only collecting personal data that you actually need and have a robust, business reason for having. A data mapping exercise will help to flush out personal data that is not required or that is being shared excessively.
Fair processing notices are just as important when you are looking inwards and you should make it clear to candidates, and/or new starters, how their personal data will be handled before, during and after their engagement.
Employment law provides guidance on data retention and this should be applied as the starting point. But, it is important to build on that guidance and ensure that it addresses the needs of your own business. Where you have control over personal data, you must ensure that you are complying with the data retention requirements, not just in your HR function, but in other areas of the business where employee-related activities are done.
Published date:  13 January 2018
Written by:  Stephen Bailey