Time to look at your HR policies

Kimberley Barrett St Vall Napthens

By Kimberley Barrett-St Vall, employment and HR partner at Napthens Solicitors.

The EU’s General Data Protection Regulations will make changes to the Data Protection Act 1998. Breaching the GDPR can have significant fines of up to €20m euros or 4 per cent of the global turnover.  

Businesses will benefit from adopting a holistic approach to GDPR compliance across their entire organisation, factoring in IT systems, cyber security, marketing as well as HR and employment law issues.

In this article I’m taking a closer look at the part HR will have to play in GDPR compliance:


Your business will be under an obligation under the GDPR to provide greater detail to candidates setting out:

  • details of the data controller
  • the category of data being processed
  • the legal basis of processing
  • the recipient
  • the processor’s details
  • if the data is to be transferred outside the EEA
  • the consequences on the employee of not providing the information on the contract

If as part of your recruitment process your business uses any form of profiling, candidates must be made aware of this and its consequences.

Employers should only collect the minimum amount of information for a specific purpose and ensure the data is stored for no longer than necessary.  Access should be restricted in consideration of what is necessary.

Processing Employee Data

It is common practice for employers to use the employee’s consent as the basis of processing personal data.  Even prior to the GDPR this approach was criticised, as it is questionable whether consent can be given “freely in an informed fashion and specific and explicit”, given it is often conditional on the offer of employment.

Going forward you should rely on the legal basis for processing employee personal data.  Businesses must ensure processing is based on one of the following:

  1. for compliance of a legal obligation e.g. payroll processing data to ensure the employee is paid
  2. for the performance of a contract e.g. processing data in the context of healthcare insurance provision
  3. based on a legitimate interest of the employer (or third party processor)

Data Subject Access Request

Post May 2018 there will be no fee to pay if employees make a data subject access request and requests must be dealt with in 30 days (currently 40).  There is likely to be an increase in requests and it is important you understand how to handle these requests efficiently.

The GDPR is clear – it requires employers to demonstrate compliance. I suggest this involves more than a tickbox exercise and rather a change in culture with a commitment to embrace the GDPR.  Given your Data Protection Officer cannot be everywhere at all times, cascading understanding and awareness through new policies and procedures and support through training for your employees will be vital.

Share this on social media

Featured Articles

See All Articles

Join the LBV hub

The LBV Hub is the perfect platform for new and established businesses looking to raise their profile in Lancashire.

  • Post your news and views
  • Share your events and offers
  • Gain editorial coverage in the magazine
  • Join the business directory
  • Be first for industry news
  • Get your print subscription
Other benefits

The LBV Hub allows you to promote your news, views, events and special offers across our digital platforms, with a chance of being featured in the magazine. Join the LBV Hub today to showcase your products and services to the wider business community.

Sign up now

Subscribe now

Subscribe now and gain access to our current issue and recent back issues.

Subscribing to Lancashire Business View will keep you up-to-date with the very latest business from across the county. In print six times a year, its pages contain news, analysis and opinion on the issues that affect business in Lancashire. There is key information that can help businesses flourish, and entertaining features on the personalities behind the headlines.

Subscribe now

Lancashire Business view Email Newsletter

Keep up to date with all the latest developments & news.

Opt in*
*Opt-in to receive LBV’s weekly round-up of business news, advice and events direct to your inbox plus other relevant information about the magazine.
You can opt-out at any time. Please click here to view our privacy policy.
Advertise with us Join the LBV Hub