back to blog

GDPR – Lawful Processing of HR Data

TL;DR: There are some key tasks that should be undertaken - review current systems, vendors and gain express opt-in from employees

GDPR is a hot topic right now, with the legislation set to give individuals control of their personal data. The General Data Protection Regulations were published in January 2012 by the European Commission and will be enforceable from 25 May 2018. HR is one area in particular that holds a large amount of personal data within its systems such as employee age, gender, salary, address, and the list goes on. Within this blog we are going to address some of the key questions HR teams will likely be wanting answers to.

Why was GDPR drafted?

There are two primary reasons for the new legislation:

  • The EU want to provide people with more control over their own personal data. This is significant as it is at a time when the digital economy is erupting.

  • The EU would like to give businesses a more straightforward legal environment to operate within. At present data protection laws are not unified throughout the EU which can make doing business complex.

Who and what does the legislation apply to?

It applies to controllers and processors of data. A controller sets out how and why personal data is processed. The processor is the party that processes the data. The legislation reaches beyond the EU as it applies to any country handling or contracting with another firm to handle an EU citizen’s personal data.
It is fairly easy to think of key pieces of personal data – I already mentioned a few in the introduction. However the breadth of information collected by HR teams is expanding. There may be for example a number of online identifiers such as Linkedin and Facebook profiles.

What is lawful processing of personal data?

The controller has responsibility for ensuring that data is processed ‘lawfully’. Lawful is defined in a number of ways:

  • The individual has provided consent for their personal data to be processed.

  • In compliance with a contract or legal obligation.

  • The personal data being processed is in the public interest.

  • It is in the controller’s legitimate interest.

  • It is essential for the life of the subject.

One of these conditions must apply for the processing of data to be lawful under GDPR.


Consent must be active. This is probably the most vital change under GDPR, as it stops passive opt out. In simple terms, it is not sufficient to not tick a box for an individual to opt in. Therefore express consent must be sought.

What should HR teams be doing?

Whilst the changes under GDPR are wide ranging, there are some key tasks that should be undertaken to ensure compliance:

  • Review the current HR systems, work out what data is being stored, why, and for how long. Look at employment contacts, handbooks, and employment policies. Gain full transparency of all data currently being held and for what purpose.

  • Set up a system to gain express opt-in from employees.

  • Ensure vendors you work with (for example software vendors) are GDPR compliance. Ensure the contract you have in place with them ensures their commitment.

  • Assess which employees will need GDPR training. There are likely to be those that handle personal data within their roles.

In Summary

This is an important piece of legislation which will transform the way in which businesses handle data – and we specifically expect HR teams to have a substantial role to play in ensuring compliance. The penalties for non-compliance are significant - the greater of up to 20 million Euros or 4% of the global annual turnover. It is therefore unsurprising that there has been such widespread conversation about this legislation and we expect that to continue post the 25th May as businesses begin to put live their new policies, processes and procedures.