GDPR and HR: what must be done to fulfil the new regulation?

Posted by media on April 17, 2018 at 9:00 AM

GDPR_HR_ what_must_be_done_fulfil_new_regulation

The General Data Protection Regulation establishes radical changes in the way in which organisations manage clients or users’ personal data. Obviously, this has a big impact on the HR departments because, from the moment in which a candidate first arrives at an interview to when they leave the company, a multitude of data is collected on that person.

In this brief post, we offer a general vision of how the GDPR will affect HR professionals.

This post is also available in Spanish.


What is the GDPR?

The GDPR is part of the EU’s Data Protection Regulation that will replace the current Directive on the matter. The objective of the new regulation is to standardise and strengthen the rights of European citizens regarding their data. This means that any organisation that takes charge of private data of EU residents must comply with the new standards on transparency, security and above all, responsibility.


The GDPR will be in full force as of 25th May 2018.  In light of this new regulation, the UK government has confirmed that it will be applied in the state.

GDPR: all of the HR departments process personal data

As we have just mentioned, the General Data Protection Regulation (GDPR) represents the last European effort to offer greater rights to people and to increase the organisational obligations of the companies that have access to personal data.

Many companies are focusing their efforts on fulfilling the new demands. In order to do so, they are reviewing their processes and systems in order to ensure that they cover the principles, rights and obligations. However, we must take into account that the new legislation also affects the data that companies have on their employees.

Think about the amount of information that the HR departments process each day: names, surnames, dates of birth, bank accounts, CVs, addresses, telephone numbers, photos, email addresses, etc. But having access to this large amount of valuable personal data also involves the responsibility of guaranteeing that they are dealt with safely and lawfully.

A responsibility that will be demanded from both the employers (data controllers) and the HR professionals (processors).

GDPR_HR_personal data


Main doubts of HR professionals about GDPR

Must I gain consent from an employee to retain personal data?

The 40th Conclusion of the GDPR establishes that for the treatment of personal data to be considered lawful, they must be treated with the consent of the interested party or on another legitimate basis established in accordance with the law.

For employee personal data that is essential for a contractual relationship for HR, as would be name, CV, bank account, etc., their treatment would base their legitimacy on legal grounds, or due to them being necessary for fulfilling specific legal obligations for employment matters.

But in other cases, like dealing with more sensitive or confidential data, express consent will be required from the worker as legal grounds for their use by their processing on behalf of the company.

It must also be taken into account that the GDPR also establishes that the subjects of the data have the right to retract consent at any time with the only limitation of the legal demands being that the company must fulfil and that impede their elimination.

More information > GDPR: what solutions do we provide for lawfully obtaining consent?

What responsibilities concerning security must I fulfil from HR?

Under GDPR regulation, any data violation must be notified of to the corresponding Data Protection Authority within 72 hours.

This means that it must review its current mechanisms on reporting data violations. The employees that could be harmed due to any breach must also be notified “without undue delay”.

It is therefore important to review their security provisions and prevent any potential problems that could arise as a result of the way in which data is stored.

Also, depending on the type of data being processed and the volume, it can be mandatory for a Data Protection Representative to be assigned who supervises data processing activities within the organisation, amongst other things.


What are my employees’ rights under GDPR?

The employees can find out which personal data in relation to HR are being processed within the company, why it is being processed and where they are doing it. This department must also provide them with a free copy of all of the data that they possess on request, for which they must have a system that allows for this information to be easily located.

Ultimately, the new legislation is designed to grant people the right to access, correct and delete the information that concerns them. Therefore, your employees will have the right to greater transparency with regards their personal data and your reasons for keeping it.

What basic steps must I take?

  1. Review the data protection processes and procedures and identify any worry areas. Part of this process is creating an inventory of all of the personal data that you possess and assessing the reasons behind its retention.
  1. Notify your team of the new rules and their rights. This will make it easy to obtain the consent that you need for dealing with certain data.
  1. Ensure that there is complete transparency over the nature of HR’s data processing in terms of the data used, the purposes for which it is used and where it is processed.
  1. When consent has been relied on to legitimise HR’s data processing, you must be sure of how it has been recorded to be able to prove it when the time comes.
  1. If subcontracting or sub-processing is used (for instance, on the cloud), the companies must choose a supplier with the suitable guarantees regarding data security.



What will happen if I don’t fulfil these new regulations?

Straight away, the organisations that do not fulfil their obligations will face heavy sanctions. Your company could receive a fine of up to 4% of their total annual turnover or € 20 million for severe breach, such as, not having obtained the express consent of subjects for processing their data.

In turn, 2% will be applied for minor infractions such as not keeping your records in order, not notifying of a breach in security or not carrying out impact assessments.


Will all of the member states address employment data in the same way?

Despite GDPR pursuing alignment amongst all of the countries, it allows for certain freedoms on interpretation or internal adaptation on certain subjects.  For example, with regards dealing with the data of minors and art. 88 “treatment of employees’ personal data“.

This article recognises that national laws in the member states, or collective agreements, define how to process this employee personal data with specific rules, not on how to protect it. 

We will see to what extent the member states opt for exercising these overridden faculties to reflect their current practices or strengthening protection concerning employee personal data.



There isn’t long left until 25th May and it is important that the company’s planning takes the processing of employee personal data that is done from HR into account. It is important to start to prepare a secure system for yourself now that will allow you to adopt a transparent, legal approach for it.

You can also download the guide that you will find below where we explain our services in more detail, get in contact with us by email: or call us on 93 551 14 80.

This post is also available in Spanish.

New Call-to-action

Topics: GDPR

Blog Subscription

Recent Posts