Author Profile Picture

Sue Lingard

Cezanne HR

Marketing Director

Read more about Sue Lingard

GDPR and HR one year on: three things you need to know


HR professionals have, on the whole, successfully jumped the hurdle of GDPR, but just as one challenge has been overcome, the prospect of a no deal Brexit raises more potential barriers that need to be addressed.

One year on from GDPR coming into effect, an impressive 95% of UK HR professionals feel confident in their compliance with the EU legislation, according to recent GDPR and HR research undertaken among teams in the UK.

This is a great result for HR departments who have had to focus on getting to grips with new or extended data security requirements.

It hasn’t been an easy journey, however, with 76% reporting that GDPR has imposed a significant burden on HR. It is evident that this will have been to the detriment of other activities.

With the majority (64%) also believing that data protection will get harder if the UK exits the EU, there are of course more clouds on the horizon.

So, what’s in store for HR teams, what do they need to keep in mind, and what can they do to reduce the extra compliance burden, especially as Brexit complexities threaten to up the ante on compliance challenges?

SARs and the wider workforce

The survey discovered that there has been a significant increase in subject access requests (SARs) since GDPR came into effect, with 76% of HR teams reporting this.

With better awareness of data rights (a shift that is positive) and high profile cases such as Uber hitting the headlines, it seems unlikely that the level of SARs is going to drop.

An SAR is referred to in the GDPR as a right of access to personal data.

It entitles an individual to be provided with the information an organisation holds about them and is part of the legislation’s wider focus on data visibility and transparency.

For HR teams, it means considering not just direct employees, but the wider workforce, including gig workers and ex-employees.

Providing self-service access to their personal data – as recommended by the ICO – is a step in the right direction.

HR teams should be extending secure access to their systems to their complete workforce, including gig workers and contractors.

Despite this the survey, which polled 250 UK HR professionals in May 2019, revealed that while an average of 68% of full-time employees had self-service access to personal records, only 13.2% of gig workers were given the same access.

With tighter response deadlines, it’s also the case that HR teams need to be prepared to effectively record SARs and then follow up in a timely way, regardless the status of their workers.

The Information Commissioner’s Office (ICO) has fined companies in the past for not responding to SARs within the right time frame, so HRs need to consider timeliness and easy access to this data.

Fines of up to €20 million, or 4% of a business’ annual global turnover in the preceding financial year (whichever is higher), could be imposed by the ICO for non-compliance with data subject access requests or other GDPR requirements. This legislation applies to non-EU workers too.

Be mindful that responding to a SAR is not as simple as just providing a report on all the personal data you hold.

HR teams also need an understanding of what they are legally obliged to provide, and familiarise themselves with the exemptions which means they may not have to comply with all the usual rights and obligations.

Brexit data uncertainty

The survey also showed that the vast majority of HR practitioners (88%) are confident in their understanding of GDPR legislation relating to the retention and deletion of data.

When asked if they knew the whereabouts of their data, 92% responded positively – and 86% percent said they hosted their HR data in within the UK.

As the research highlights, however, things could get a lot more complicated if the United Kingdom leaves the EEA without a deal.

For example, there might be issues if the UK has already signed into legislation whereby personal data can flow from the UK to Europe – but the reverse is not true.

This means that any organisation with operations in Europe may not be able to host this data in the UK until we have appropriate agreements/mechanisms in place.

Obviously, the hope is that common sense will prevail, but the Information Commissioner, Elizabeth Denham, has said that organisations cannot assume that this will be the case and transfers of personal data from the EEA to the UK could well be affected.

It means that, for many UK-based global companies, HR operations may have to be prepared to move the hosting of European data to Europe, and put new controls in place, even temporarily, to remain compliant.

Why you need to turn to technology

HR teams process huge amounts of personal data and are in the frontline when it comes to deciding what data to collect, how to manage and secure it, and who should have access.

The question is, therefore, how do teams keep up compliance in times of change, while reducing the admin burden so they can be getting on with more strategic work to support business growth objectives?

Firstly, with a requirement for transparency, and to ensure that information is accurate and put right when it is not, self-service goes a long way towards delivering on key requirements, while simultaneously freeing HR from the admin burden.

Times are uncertain, and changes to regulation unavoidable.

HR teams should be extending secure access to their systems to their complete workforce, including gig workers and contractors.

The survey also found that 52% of HR teams have to manage date deletion and anonymisation using manual or semi-manual processes, so it’s also clear that HR teams should be asking more of their HR suppliers

HR systems should be sophisticated enough to incorporate tools that let HR teams set up rules that automatically remove or anonymise data in line with different legislative requirements.

This removes a lot of the administrative burden from HR, and ensures that important compliance steps don’t get overlooked.

Finally, systems have a key role in centralising and digitising HR data, removing the need to secure and manage paper files, spreadsheets or emails trails (also covered by GDPR), and helping with a host of other GDPR compliance requirements, ranging from publishing privacy notices and enabling data portability to recording consent when required.  

UK businesses operating in the EEA should consider whether they need to take action now, as well as keeping in touch with changing potential no-deal guidelines.

Think about how you need to prepare for the possible outcomes and keep updated on ICO guidelines.

While alternative data transfer mechanisms exist, it can take time to put those arrangements in place, so it is worth considering those potential pathways now.

Times are uncertain, and changes to regulation unavoidable.

One thing is for sure though – compliance is only going to get more complex, so HR teams need to consider strategies now and on an ongoing basis to simplify and be prepared.

Please note: this article is based on our understanding of the requirements of GDPR and should not be relied upon as legal advice or to determine how GDPR might apply to you and your organisation. You should refer to the legislation and, if in doubt, work with a legally qualified professional to discuss GDPR, how it applies specifically to your organisation, and how best to ensure compliance.

Interested in this topic? Read GDPR: how HR can embrace it as a catalyst for positive change.

Author Profile Picture
Sue Lingard

Marketing Director

Read more from Sue Lingard

Get the latest from HRZone

Subscribe to expert insights on how to create a better workplace for both your business and its people.


Thank you.

Thank you! Your subscription has been confirmed. You'll hear from us soon.
Subscribe to HRZone's newsletter