The data that HR departments work with comes in all shapes and sizes, from many different systems and sources, from emails, Word documents and most commonly as a paper documents – the greatest area of risk by far. Finding the right solution to manage this data has now become imperative, rather than just a nice to have.

HR teams are at the forefront of dealing with risks posed by employees and their personal data.

Specific issues affecting HR:

  • Recruitment – do you provide applicants with an appropriate privacy notice explaining how their personal data will be used? Do you ensure that the personal data collected at each stage of the recruitment process is proportionate and necessary? Do you have clear arrangements with recruitment agencies?
  • Background checks – are these proportionate and only carried out once a job offer has been made?
  • Legal basis for processing – do you ask for consent when you have another legal basis for processing (e.g. the processing is necessary for you to comply with law or a duty on you as an employer)? Is your employee monitoring lawful?
  • Privacy notice – do you provide employees with a clear and transparent privacy notice explaining how their personal data is used and explaining their rights as a data subject?
  • Policies and processes – have you reviewed your data policies and processes for handling personal data?
  • Privacy assessments – do you carry out a privacy impact assessment prior to any new project?
  • Third party data processors – have you reviewed your contracts with third parties to ensure that they comply with GDPR?
  • Subject access requests – do you have sufficient resource to deal with a likely increase in data subject access requests? Can you use technology to simplify findings and identifying information that may be disclosable?
  • Data minimisation – the scope of a subject access request can be reduced by minimising the amount of personal data you hold. Do you have a records retention policy in place? Are HR personnel and line managers aware that records they retain may be disclosable?

What does HR need to be doing?

  • Identify your team and plan your strategy for compliance.
  • Create an information asset register – what personal information and where, why, how and with whom do you process it
  • Review your recruitment processes and template documentation
  • Review your employee privacy notices to ensure they meet the new requirements.
  • Review your processes and systems for dealing with data subjects rights and monitoring employees.
  • Implement data governance policies and measures and training to ensure your HR department operates in accordance with the requirements of the GDPR.
  • Review your contracts with recruitment agencies and employment businesses
  • Review your supply chain arrangements with data processors such as IT and outsourced service providers.
  • Review the data you hold and your data retention policies and practices


HR professionals will have to showcase their expertise in data issues, leading by example with personnel data and then helping the business handling data subject rights.
While the GDPR brings even higher risks and eye-watering penalties for non-compliance, it also brings great opportunities for Top employers

The reason to care: more penalties

The GDPR provides for two levels of administrative fines for GDPR violations depending upon the nature of the violation.

  • First level violations will result in fines of 10 million euros or 2 percent of the company’s worldwide annual revenue, whichever is greater.
  • Second level violations will result in fines of 20 million euros or 4 percent of worldwide annual revenue, whichever is greater.

The majority of violations involving the processing of HR data will likely be second level violations, including noncompliance with the Article 88 country-specific requirements for HR data; failure to use a proper legal basis for collecting and processing data; violations of data subjects’ rights, including data subject access rights; and improper transfers of data outside of the EU. Guidance issued so far on the imposition of penalties has made clear that DPAs will exercise discretion when determining whether to impose fines and in what amount, but the exposure is considerable and good faith efforts at compliance are key to any potential leniency regulators may provide.

Top 10 recommendations

  1. Consider assigning a cross-departmental task force to address GDPR. GDPR has a lot to do with IT, certainly, but procurement, compliance, HR, Legal, and other business units must also be educated on its impact. In addition, you should consider involving an outside consultant that has strong HR and technology experience.
  2. Document what personal data you hold, where it came from and who you share it with. The GDPR requires you to maintain records of your processing activities. It updates rights for a networked world. To make sure you comply, you may need to organize an information audit across the organization and to review the entire HR reporting architecture. Work on documenting your complete HR data architecture making sure you don’t miss any “touch-points”/ interactions (external audiences and third parties included). Pay special attention to recruitment, training, benefits.
  3. Set the right boundaries between consent and legal basis for employee data. The GDPR makes clear that consent will rarely be an acceptable legal basis for processing employment data, due to the imbalance of power between the employer and data subject. Wherever possible, employers should consider an alternative legal basis for the processing of that information, such as compliance with a legal obligation or the pursuit of a legitimate interest of the employer.
  4. Review your privacy policy and notice messages. When you collect personal data you currently must give people certain information, such as your identity and how you intend to use their information. This is usually done through a privacy notice. Under the GDPR there are some additional things you will have to tell people. For example, you will need to explain your lawful basis for processing the data, your data retention periods and that individuals have a right to complain if they think there is a problem with the way you are handling their data. The GDPR requires the information to be provided in concise, easy to understand and clear language
  5. Keep a detailed record of your monthly data processing activities: you need to know exactly what personal data you process, who is responsible for it and how it is processed. Take into consideration that processing covers any operation or series of operations you carry out on personal data: Collection, Recording, Organisation, Structuring, Storage, Adaptation, Alteration, Retrieval, Consultation, Use, Disclosure, Dissemination. Designing a framework, a detailed step by step activities plan for your monthly operations, would help tremendously. Consider assigning a “shadow team” or organizing a workshop to review and document your monthly operations.
  6. Make sure that your HR team is prepared to respond to the exercise of the rights by members of staff. For example, employers should ensure that there are guidelines and training in place where a subject access request is received from a current employee, or where a member of staff asks for certain data to be erased.
  7. Simplify the way you do HR. If investing in HR technology has not yet been a priority for your organization, now is the best time to reconsider consolidating your HR data into as few databases as possible. The main scope of course is centralizing all your HR data – including documents – in a single secure HR system with self-service access. By doing so you regain control of your HR data – information is easier to secure, track, manage and delete. Partner with an HR technology advisor to design a detailed requirements list that targets both compliance and operational efficiency.
  8. Review your internal communication procedures to ensure you have built the proper consent attainment methods when it comes to obtaining employee information. Robust, modern HR solutions with regular updates and self-service options can help you streamline this process and ensure compliance is met. Paper based processes are difficult to manage and even more difficult to monitor and report on.
  9. Ensure compliance of your HR and payroll business partners. Keep in mind that organisations are mainly responsible for their own data and making sure it’s protected. In this regards, third-party relationships present both risk and opportunity; simply put, GDPR makes you liable as a data controller if you do not have sufficient guarantees that 3rd parties you work with are compliant; strong HR/payroll business partners on the contrary can assist you in getting compliant and take away a part of the burden and the risk. Request a clear statement and more information from your partners on what they are doing to ensure compliance. Consider hiring an outside expert to evaluate your current model and exposure.
  10. Make sure you shift from paper-based compliance to actual and demonstrated compliance in the field. Instead, the GDPR expects companies to implement several additional measures such as: appointment of a (mandatory) data protection officer and carrying out (mandatory) privacy impact assessments. These new obligations will have a significant impact on how companies approach projects that involve the processing of personal data. Once you have completed steps 1-9 IT will have a better understanding of actions that need to be taken to comply to the Privacy by design and Default obligations.


Full HR Data & Process Mapping Workshop

Description: a 3 to 7 days workshop (40 hours max) on your premises, facilitated by a Senior HR Professionals with extensive HR Executive experience covering all main HR processes. During the workshop all HR processes, touch points and interactions will be documented in detail (deliverables will include process and data flows, SIPOC diagrams and legal basis details). This is also a great opportunity for HR teams to review their operational model and identify opportunities for improvement.

Scope: Participants will create detailed records (lists) of all data processing activities, including the categories of personal data, data subjects and recipients, the purposes of processing, any transfers of personal data outside the (EEA), the time limits for storage of the data and the security measures in place to protect it.

Why? The business will be required to produce a data map in respect of all personal data held/ used by it, but HR will be best placed to provide this information in relation to workers. It will be mandatory for employers to maintain these records under the GDPR and they may be required to produce them to the Information Commissioner’s Office (ICO).

Justification for Processing Documentation Workshop

Description: assistance includes a detailed legal evaluation of employer rights together with proper documentation from active legislation performed together with a Labor Law Team.

Scope: Participants will be able to:

  • carefully consider if collected data is really needed
  • consider what justifications for processing employee data the employer has, avoiding, where possible, reliance on consent or “legitimate business interests”.

This is about establishing a specific business need, as opposed to a nice-to-have. Employers that seek to obtain consent for processing personal data by including standard wording in their contracts of employment should consider what other grounds are available to justify processing.

Why? The GDPR makes it much more difficult to rely on consent as a justification because it considers that there will always be inequality of bargaining power between employer and employee or job candidate and, therefore, that such consent may not be truly freely given. The ICO, in draft guidance, has said that it will almost never be appropriate to rely on consent as a justification for processing employee data, and could even be misleading.

Managing Data Sharing & Service Providers Workshop

Description: a 2 to 5 days workshop (30 hours max) on your premises, facilitated by a Senior HR Professional with extensive experience in HR technology and HR outsourcing service delivery models. Sessions will be structured to address all third parties’ interactions. Participants will be trained to understand compliance requirements (deliverables will include a compliance criteria list, a detailed questionnaire to be filled in by providers and a customized scoring system to evaluate compliance level). Once compliance levels are evaluated, we will work together to design a clear action plan to be implemented by each individual provider.

Scope: Participants will identify all circumstances where personal data is shared with third parties, either for that party’s own purposes (e.g. a parent company), or to a service provider during its providing the service (e.g. payroll processors, providers of domestic or global HR databases, external intranet hosts, external trainers/training platforms, etc.). Review all contracts with processors and draft and negotiate necessary amendments to comply with GDPR.

Why? The GDPR requires new provisions to be included in agreements with processors (including as to subcontracting, audit assistance, acting on documented instructions only, breach reporting, etc.) and expands the employer’s due diligence obligations before engaging them. It also makes it more advisable to have written data sharing agreements with other data controllers.

Privacy Notices Revision Services

Description: assistance includes a detailed legal evaluation of current privacy notices used by Employer performed together with a Labour Law Team.

Scope: Review and revise all privacy notices given to applicants, employees and other workers, to comply with the GDPR. This information is frequently included in data protection policies or contracts of employment and these will, therefore, need to be updated.

Why? The GDPR introduces additional provisions that must be included in privacy notices. These include detailed statements of what data is being processed and why and of the individual’s rights to removal, rectification, objection, portability, etc., of the data, plus the right to refer issues to the ICO. With consent largely falling away as a justification for processing, privacy notices become more important.

Privacy by Design/ HR technology Assessment Workshop

Description: a 2 to 5 days (30 hours max) on premises review of your HR systems and tools performed by a team of HR Technology experts (deliverables will include risks assessments and an extensive list of recommendations for action plus a value-added list of suggestions for simplifying work and processes.

Scope: Controllers should take steps to show that they have taken data protection compliance into consideration, and have implemented appropriate compliance measures, in relation to their data processing activities. In particular, controllers should adopt internal policies and measures which meet the principles of privacy by design and data protection by default.

Why? Organizations should adopt internal policies and implement technical and organizational measures:

  • relating to pseudonymisation, transparency and access
  • which provide that only personal data which is necessary for each specific purpose of the processing is processed
  • which provide that personal data is not made accessible to more individuals than necessary
  • using applications or processes which allow them to implement such controls and (where available) have been certified by a body accredited by a Supervisory Authority may become a way of demonstrating compliance with the privacy by design requirements.

Working with Internal data processing registers Workshop

Description: one month ongoing assistance for designing and using Internal data processing registers. Deliverables include an initial register framework (based on the monthly activities plan) and daily/ weekly revisions of processing records.

Scope: Controllers (Participants) will be able to:

  • clearly identify where personal data is processed within their organization, including by third party processors
  • determine the process (likely to be some form of register) that they will use to record details
  • consider how they will ensure that the relevant information will be kept up-to-date. This may require allocating responsibility for this to individuals within the different business functions that process personal data.

Why? Controllers (and the controller’s representative if the controller is outside the EU) must now maintain a formal, written record of processing activities under its responsibility. Whilst controllers are currently required to provide much of this information when they register with a Supervisory Authority, the information required under Article 30 is more detailed than the requirements in some Member States.

Managing Data subject rights Workshop

Description: a 2 to 3 days (10 hours max) on your premises workshop on handling employee requests in regards to GDPR facilitated by a Senior HR with extensive experience in managing employee relations. Sessions include Role play and standard answers drafting.

Scope: Participants will be able to:

  • assess how these rights trigger and how they will be exercised in employee contexts
  • consider how to search for, filter and separate the information required to comply
  • consider whether the rights can be met wholly or partially through a self-service option
  • identify the relevant exemptions under Member State law and how the rights can be resisted where desirable
  • ensure that mechanisms are in place to enable responses within one month
  • assess the opportunities to have personal data of competitors or other third parties’ customers ported to the organization through data subject’s exercise of portability rights

Why? Data subject rights included in GDPR:

  • to have personal data transmitted to the data subject or another controller in a commonly used machine-readable format (data portability)
  • to require the controller to erase personal data in certain circumstances and where the data has been made public to take reasonable steps to inform controllers that are processing the data that the data subject has requested its erasure of any links to, copies or replication of it (right to be forgotten)
  • to ask for more information about a controller’s processing (export solution, storage limits) through a subject access request and to provide the information in a commonly used electronic form
  • to require data to be marked as restricted whilst complaints are resolved

GDPR Internal Communication Workshop

Description: 3 on your premises sessions (12 hours max) to design communication road map, prepare communication plans and draft communications materials.

Scope: Participants will be prepared to:

  • implement a training program covering data protection generally and the areas that are specifically relevant to their organizations
  • implement a policy for determining when training should take place and when refresher training should be carried out and a process for recording when training has been completed

Why? DPOs are under a specific obligation to implement appropriate training. Although not an express obligation for organizations where DPOs are not required, we consider it to be almost impossible to demonstrate that an organization is able to achieve compliance without policies setting out how to comply coupled with training to bring those policies to life.