How Does GDPR Affect Human Resources?

Ben Hancock
Managing Director | Yellow Room Learning
15th December 2017
Member roleChamber member

The General Data Protection Regulation (GDPR) is a set of rules that defines how businesses should collect, store, and process the data of EU citizens.

It is designed to protect the data of people living in the EU and gives them more control over how their data is handled. Adhering to the rules specified in the GDPR will become mandatory for UK businesses on the 25th of May, 2018. Businesses that fail to comply with this new set of rules may face heavy fines.

Businesses in the human resources sector, and even human resource departments, will be heavily impacted by these new rules, because they handle so much client information. This guide will explain why the GDPR was created and how it will affect HR professionals.

Why was the GDPR developed?
The advent of the Internet has changed how data is collected, stored, shared, and processed. Businesses regularly handle large amounts of data and use it in new ways. Data can be analysed very quickly, shared with other parties, and processed to be used for multiple purposes.
Unfortunately, this has had some negative implications for the general public. Members of the public understand that their data is being taken, processed, and stored in ways that they didn’t expect. They no longer trust businesses to handle their data responsibly and are concerned about a loss of privacy.

The GDPR is designed to give the general public more control over their data. Members of the public will understand that there are strict rules relating to how their information is being collected, processed, and shared — restoring public confidence. Under the GDPR, businesses are compelled to ask a person before collecting their data.

They must specify how they will be using the data they gather and who will have access to it. Businesses will only be allowed to retain data for a limited period. Businesses must also prove that user data is being stored securely and may have to appoint a Data Protection Officer (DPO). If a person’s data has been compromised in some way, a business will have 72 hours to tell users or they will face heavy penalties. Members of the public can also ask for copies of the data that a business holds on them or have their data deleted. One of the major goals of the GDPR is to standardise the various data handling laws in countries across the European Union. By simplifying data handling rules, businesses will save money and it will be easier for residents of different EU countries to understand how their data is used.

What about Brexit?
The GDPR will come into effect before the UK has left the EU. UK politicians have also suggested that any future data regulations will have similar rules to the GDPR.

Who will have to comply with the GDPR?
Any business or organisation that processes or controls data belonging to citizens residing in the EU must comply with the GPDR.

How does GDPR affect HR?
Human resources tend to collect a lot of sensitive information from job seekers and businesses. The GDPR will change how HR can collect, store, process this sensitive information. The key elements of the GDPR that apply to HR departments include:

  • Data retention. Businesses must only hold onto a user’s data for as long as necessary. They must only use it for the purpose for which it was obtained. This means that data obtained from unsuccessful job applicants should be deleted at the end of the recruitment process.
    If an HR team wants to hold onto the data for other purposes, they must expressly ask for the user’s permission. The company must also inform the user precisely how the data will be used, specifying if third parties will have access to it. When data is retained, it should be stored in an encrypted format to reduce the likelihood of a successful cyber security breach.
    The rules in the GDPR also apply to the employees in your business. If an employee leaves the business or is fired, the business can only keep a limited portion of their data.
  • Purpose limitation. HR professionals will only be able to request information from a client that is necessary for a specific purpose. Other types of data will require the explicit permission of an employee, business, or client.
  • Data should only be used for its intended purpose. Once the data is obtained from a client, it should only be used for the purpose that is explicitly mentioned. That means data obtained so a client could apply for a specific job should only be used for that purpose. It should not be shared with other companies or given to other potential employers. Once the recruitment process is over, the data should be deleted to ensure it is not misused.
  • Data security. All client information that your company handles should only be shared on a need to know basis. That means your staff should not be able to access a client’s records unless they are attempting to place that client into a job. If data is being processed or stored remotely, your company must take steps to ensure the third party has adequate security procedures. If you discover that a third party has mistakenly accessed or shared a client’s data, the client must be informed within 72 hours.
  • Transparency and accountability. Companies must share details of how they collect, process, and store each person’s data. The company must also make a person’s data available to them if they request it.

GDPR Awareness Training
The Information Commissioner's Office suggests that the first step for preparing a business for the GDPR is delivering GDPR awareness training. GDPR awareness training teaches employees how they should collect, handle, and process data. It teaches them about the concepts associated with the GDPR, including purpose limitation, data retention, and confidentiality.

Obtaining GDPR awareness training will help to prepare your HR team for these wide-reaching changes. Yellow Room Learning, a leading provider of Cyber Security, Data Privacy and GDPR Awareness Training, can help to bring your employees up to speed with their responsibilities under GDPR. Please contact Yellow Room Learning by email or phone 0800 292 2900 or get more information about GDPR from our website. 

  • Let us help you

    By registering your interest, we'll be equipped to help answer any questions you may have about the GDPR and provide further information about how it will affect your business

Do you want to join the conversation?

Sign up here
  • More on GDPR

    Visit our GDPR hub to access more information, guides and advice.