Are HR managers compliant with GDPR regulations?

By Anthony Wolny | 2nd April 2019 | 10 min read

It’s been 11 months since the introduction of GDPR regulations, and despite nationwide campaigns by the ICO and institutions such as the CIPD pushing the need for compliancy, many companies are still struggling to comprehend how exactly the regulations apply to their business operations.

Recent surveys have shown that as many as a third of UK HR teams have admitted to breaching GDPR regulations by failing to delete personal information about candidates and ex employees in a timely fashion. However, a further confusing 87 percent stated that they were confident that their HR processes were fully compliant, despite only 31 percent of the same sample agreeing that they had followed the ICO’s key recommendationsfor GDPR compliance.

If you’re still a little unsure of the areas to be vigilant on when it comes to HR’s participation with GDPR, we’ve put together a short, informative guide below, providing you with the tools you need to be data smart and secure:

How does GDPR affect your HR policies?

Data retention and disposal

Your business must be able to demonstrate that it only holds crucial data for your employees, and only then for an appropriate period of time. One key principle that GDPR is designed to adhere to concerns ‘storage limitation’ – this principle essentially means that companies can store and process data that is only necessary for the purpose of an employee carrying out their role, and that it must be kept for only a required period.

Your employer should provide you with strict guidelines on the retention periods that are applicable for certain employee and HR details. For example, you may need to delete any salary information you have stored about ex-employees after a period of 6 or 12 months. Your wider workplace policy should also include the measures that your employer is taking to ensure the security of any sensitive data during its retention period, and the details of how data will be disposed of once it is no longer required.


Your employees reserve the right to be informed as to what personal data your business records and stores, how it is processed, for what purpose, and the lawful rights surrounding the entire processing policy. As an HR manager and figure of authority, you should also remind employees that their right to privacy will be respected at all times, and provide them with a private space in which they raise any concerns that they may have regarding any aspect of their personal data processing.

Managing all personal data fairly and sensitively, and being open and transparent with employees about the entire data process, is a key way in which HR teams can make GDPR more accessible to the average employee.

Subject access requests

All employees have the right to make a formal ‘subject access request’ to their employer. As ‘data subjects,’ this provides them with the right to find out exactly what information their employer may hold about them on their company systems.

As an HR manager, you may be expected to act as the middleman in this scenario, making staff aware of the time period for responding to requests (one month from receiving the formal request itself), the information that your business must provide in response to the request, and the extent of the search that may be undertaken on their behalf.

Data breach reporting

In many businesses, HR managers can often take on the responsibility for informing staff as to the process their business must follow in the event of a data breach. Ideally, this should comprise a fully inclusive plan that follows all guidelines as set out by the Information Commissioner’s Office (ICO), and provide employees with a detailed breakdown as to the timelines surrounding breach reporting deadlines.

This includes giving information on the need to report data breaches within 72 hours, and contact information for the relevant parties that must also be informed – this includes the ICO, and any relevant supervisory authority.

Legitimate Interests

With many employees now aware of their right to submit a subject access request, some companies have decided to confront any issues around data processing head on, by introducing a ‘legitimate interests’ policy. This kind of policy aims to provide staff with an overview of situations where their business has a valid reason for processing their sensitive and personal data – for example, without access to bank details, employers cannot pay their employees.

The main focus of any legitimate interest policy should be to provide complete transparency and honesty around the list of reasons why employee data may need to be processed. As HR manager, you may well placed to lead a brainstorm session with directors and senior management figures in order to put a potential list together for this kind of policy.

Do you need a data protection officer?

Quick-fire areas to consider: 

  • Recruitment: Do applicants for roles in your business receive a privacy notice, detailing how, why and what their data will be used for? Is the data that is collected absolutely necessary?
  • Impact Assessment: Does your business have procedures in place that allow you to review the impact that new projects or activity could have on your existing data security and privacy setup?
  • Data Retention: Due to a trend for data minimisation, you may wish to assess whether any data that you currently hold on file could be disposed of. Are you unnecessarily holding on to ex-employee data?
  • Third Parties: Does your business routinely work with any third parties or hold partnerships with external businesses? If you regularly share sensitive data with them, it will be worth checking their own adherence to, and policies surrounding GDPR.

In a post-GDPR landscape, and with such strict new controls on data forming an entirely new regulatory landscape, it is vital that HR managers fully embrace the concepts of data protection and privacy. Increasingly, you may find that you act as a middleman between the wider employee cohort and senior management – treading a fine line between respecting employee privacy and processing the vital data that your business needs to function successfully.