HR Feeling the pressure as new GDPR regulation approaches

HR Departments must now change the way they work because of wide-sweeping data protection rules across the EU, warns Ardi Kolah LLM, Executive Fellow and Co-Director, GDPR Transition Programme.

According to UK Information Officer Elizabeth Denham, the EU General Data Protection Regulation (GDPR) has created more privacy considerations for organisations and has changed the entire ethos on data protection.

Despite Brexit, the UK Government has made a commitment to implement the GDPR that comes into full effect on 25 May next year. In fact, it has already been adopted in European law, and every organisation must be on a ‘compliance journey’ during the current transition period; with 16 months to go, the clock is counting down.

And one function where this will be most keenly felt is the HR department. The GDPR now regulates the way payroll information, employee details, people’s expenditures, medical records and other sensitive details are processed in the HR department.

It is the responsibility of every employer – a ‘data controller’ by definition of the GDPR – to keep all of this information secure and to ensure that employees’ rights are respected, with the risk of enforcement action and damaging publicity for those who get this stuff wrong.

Increased rights for employees is now a reality

The GDPR significantly enhances the rights of every employee in three key ways:

  • The employer must now provide more detailed information as to the purposes and means behind the processing of personal data.
  • Employees have a right of access to their own personal data.
  • Under the right to be forgotten (right of erasure), the employee will have a right to have personal data erased in certain cases – for example, when they leave employment.

It won’t be good enough for the employer to simply say it will abide by the GDPR – it will need to demonstrate compliance and, if required by the Supervisory Authority, verify that it has taken all the necessary technical and organisational measures or else it should expect to receive a sanction, including a financial penalty.

Any wriggle room for the employer?

The GDPR has dramatically reduced wriggle room in the aim to bring a more consistent and harmonised approach to the processing of personal data across all 28 EU member states, so that where a group of companies is established in several member states, the rules applicable to the processing of HR-related personal data will be exactly the same.

The GDPR expressly provides a derogation (exception) for individual member states to implement more specific rules in respect of processing HR-related personal data.

What this means is that specific rules regarding processing of personal data for the purpose of recruitment, performance of the employment contract, diversity, health and safety etc, may still be adopted on a national law basis.

Articles 9(2)(b) and 88 of the GDPR provide that member states may create new laws or conclude collective agreements to ensure the protection of personal data in the context of national employment law. These must include appropriate safeguards, and member states must inform the European Commission of any laws adopted in this area.

But that doesn’t open the door for HR departments to carry on regardless of the new data protection rights under the GDPR. In fact, the reverse is true; organisations will need to exercise additional caution in member states that apply additional protections to the privacy rights of employees.

Our research at Henley Business School suggests that global companies will adopt a unified approach to the processing of personal data of employees irrespective of where they work in the EU.

Five-step action plan for 2017

  1. Appoint a data controller or data protection officer (DPO) or work with a managed DPO service that will quickly build relationships with the HR department and ensure that adequate awareness and training is commenced within the organisation.
  2. The DPO needs to carry out a DPIA-lite as discussed in a blog on LinkedIn. This will help to assess the current HR-related personal data and processing activities and identify any structural and operational risks now.
  3. Review all HR policies, processes and procedures, including the data privacy notice given to staff to ensure compliance with the GDPR and national member state laws across the EU. Ensure that all documentation provided to employees is in ordinary, intelligible language. As far as possible, seek to harmonise HR policies and procedures across the EU.
  4. Consider re-consent for processing personal data of employees and also review other lawful grounds for processing personal data of employees.
  5. Ensure that the DPO maintains their level of knowledge, skills and expertise in GDPR by ensuring they have a suitable training and development budget for themselves and those that they appoint to work alongside them.

To find out more about our benchmark GDPR Transition Programme, please visit

Ardi Kolah LLM can be contacted by email:

Contact Image

Contact Us

If you have any questions, please contact our programme advisors, Hannah, Ruhi & Diana by email at or by phone on +44 (0)1491 418767.

Related links