News & Blog

Read the latest business news, blogs and thought leadership articles from our members, as well as updates on the Edinburgh Chamber of Commerce's work in the city.

News & Blog

A practical guide to issues all businesses should check to ensure HR processes are GDPR compliant?

Posted: 30th March 2018

Managing employee data and implementing staff training on how to handle personal data to ensure your organisation is GDPR compliant will be a crucial task for HR professionals.

The new data protection rules are due on 25 May and HR teams in businesses and other types of organisations, including charities, have little time to get up to speed on their new obligations. Breaches could expose you to fines and reputational risk.

The new law – the General Data Protection Regulation, or GDPR – involves two tasks for HR teams. Firstly, dealing with data they hold on employees. Secondly, training staff to correctly handle data on customers, suppliers and other business contacts.

Know your data

HR departments generally know what data they hold on people, have rules for managing it, and know how to access it. Therefore, auditing the personal and sensitive personal data they handle may be an easier task for HR than for other teams.

In our experience, an area where HR teams have a significant GDPR compliance challenge is their “lawful basis” for holding personal data.

Under the current rules, employers commonly rely on employees’ consent to handle data – often  via a consent clause in their contract. Under GDPR, this is unlikely to be sufficient, and they’ll need to establish new grounds for handling it.

Generally, organisations will easily establish an alternative lawful basis for holding employee personal data – for example, to meet their legitimate needs as employer. But they need to review contracts, see if they’re relying on consent, identify a different lawful basis and if so, update contracts.

Personal data held on job applicants will also need to be audited – remembering that the lawful basis for holding applicants’ data is not going to be the same as it is for current employees.

For former employees, HR teams should audit what data they hold, looking at their basis for holding it, how it is held, and crucially, for how long.

Staff should be updated on changes to data protection policies – not just to assure them about HR compliance with the GDPR, but to bring them up to speed on their responsibilities when handling other people’s data on behalf of the business.

Dealing with requests and breaches

Another challenge for organisations and charities is going to be the expected spike in “subject access requests” (individuals requesting to know what data is held on them) from 25 May onwards. We recommend developing pro forma responses to streamline the process.

Another process to develop is how to monitor compliance with the new law, and report breaches to the regulator (which will be compulsory within 72 hours of an organisation discovering it).

There’s clearly a lot to do here, but there’s plenty of help available – from online guides to tailored advice on exactly what approach to the new law would work best for your organisation.

We advise most companies to designate a data protection manager – even if a formal data protection officer is not required – someone to drive audits and reviews, galvanise everyone into compliance, and identify what outside help might be useful.

You can also refer to this useful checklist.

Daunting this task may be for anyone, but businesses will generally benefit from understanding and managing data better, and it will help to safeguard crucial relationships with staff, customers, contractors and other stakeholders.

Kate Wyatt


Lindsays’ Employment law team


Business Comment

Business Comment is the Edinburgh Chamber of Commerce’s bi-monthly magazine. It provides insight on Edinburgh’s vibrant business community, with features on the city’s key sectors, interviews with leading figures and news on new business developments in the capital.
Read more here