Specific issues affecting HR:
- Recruitment – do you provide applicants with an appropriate privacy notice explaining how their personal data will be used? Do you ensure that the personal data collected at each stage of the recruitment process is proportionate and necessary? Do you have clear arrangements with recruitment agencies?
- Background checks – are these proportionate and only carried out once a job offer has been made?
- Legal basis for processing – do you ask for consent when you have another legal basis for processing (e.g. the processing is necessary for you to comply with law or a duty on you as an employer)? Is your employee monitoring lawful?
- Privacy notice – do you provide employees with a clear and transparent privacy notice explaining how their personal data is used and explaining their rights as a data subject?
- Policies and processes – have you reviewed your data policies and processes for handling personal data?
- Privacy assessments – do you carry out a privacy impact assessment prior to any new project?
- Third party data processors – have you reviewed your contracts with third parties to ensure that they comply with GDPR?
- Subject access requests – do you have sufficient resource to deal with a likely increase in data subject access requests? Can you use technology to simplify findings and identifying information that may be disclosable?
- Data minimisation – the scope of a subject access request can be reduced by minimising the amount of personal data you hold. Do you have a records retention policy in place? Are HR personnel and line managers aware that records they retain may be disclosable?