22 October 2020

GDPR – is your organisation getting complacent?

The recent high-profile GDPR case around the H&M Group highlights the need for greater transparency around employee data and poses the question — are HR teams equipped to deal with all the legislative requirements?


Bogdan Tiganov

Bogdan Tiganov

Bogdan Tiganov was head of content at Ciphr from October 2020 to September 2021. He specialised in content related to HR systems and HR software.


Corporate governance Employment law GDPR HR transformation


The recent high-profile GDPR case around the H&M Group highlights the need for greater transparency around employee data and poses the question — are HR teams equipped to deal with all the legislative requirements?

Before the implementation of the General Data Protection Regulation (GDPR) on 25 May 2018, once an organisation captured your personal data, such as contact details, they could pretty much do what they wanted with that information without consequences. The GDPR was introduced to standardise data protection and give people more control over their data, including employee data.

In 2017 and early 2018, organisations – including their HR teams – put in place comprehensive compliance programmes, working through exhaustive requirements. Everything simply had to be ready by 25 May 2018, or risk up to 4% of their annual worldwide turnover.

Since the GDPR was rolled out, numerous companies have paid enormous fines for data breaches and not fully complying with the GDPR. British Airways’ data breach, for example, cost them £20m. Or Google, which, in 2019, was fined €50m because it refused to fully disclose how personal data was used.

Now, as reported by the BBC, the H&M Group was recently fined €35.3m (£32.1m) for keeping sensitive information about employees on file —­­­ from where they went on holiday to family problems — and making it available for managers to use in employment-related decisions.

Piers Dryden, partner and head of the technology sector at law firm Brabners, said: “The regulator is clearly using H&M to send out a message. Such a big fine against a big-name brand is a statement of intent that GDPR will come down hard on businesses that flout the data rights of their employees.”

With the end of the transition period for the UK leaving the EU looming large on 31 December 2020, is it time to revaluate your GDPR compliance processes?

From 1 January 2021, the ‘UK GDPR’ will essentially be a renaming of the same set of laws. This consists of the Data Protection Act 2018, merged with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, which requires the UK to continue to comply with GDPR legislation post-Brexit.

As outlined in this guidance document from the government, if you intend to receive or store personal data from EU members after 1 January 2021, you may need to have Standard Contractual Clauses (SCC) in place. This means multinational organisations will need to be especially careful when dealing with employee data from EU countries, ensuring that conditions are stated clearly and signed. The Information Commissioner’s Office (ICO) recommends that organisations take stock of personal data, so you can tell which data was acquired before and after the transition ends.

There is also a question of the unresolved data adequacy decision. Data adequacy is a status that allows personal data to be exchanged, without safeguards, with countries outside the EEA. Presently, both the EU and the UK are hoping this will be complete before the end of the transition period. If a decision is not made, you may need to look at implementing additional safeguarding to continue processing EU employee data.

A summary of the GDPR’s requirements

It’s important to reacquaint yourself with the original GDPR requirements as these will remain the same for ‘UK GDPR’ after the UK leaves the EU.

Consider the following lawful bases when you’re collecting, storing and processing personal data:

Consent: the individual has given you clear consent to process their personal data for a specific purpose. In this case, it would be for employement, to run any necessary background checks and payment purposes.

Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. This is also applicable when you’re processing employment contracts.

Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. One to take into account when you’re dealing with jobs in the public sector.

Individuals, meanwhile, have the right to the following:

  1. The right to be informed – you’ll need to communicate any changes to policies
  2. The right of access – you’ll need to provide easy access to their personal data
  3. The right to rectification – you’ll need to enable them to self-serve
  4. The right to erasure – you’ll need to give them the option to delete their records
  5. The right to restrict processing – you’ll need to offer them flexibility over how their data is used
  6. The right to data portability – you’ll need to provide ways for them to reuse their data across different systems
  7. The right to object – you need to give them the ability to object
  8. Rights in relation to automated decision making and profiling – you’ll need to consider this when implementing automation in your data processing

It’s worth taking another look at your processes to see whether you are fully compliant. Read our comprehensive GDPR guide for a more in-depth breakdown of how the GDPR impacts both organisations and individuals.

Turn to specialist HR software to help with GDPR compliance

Compliance with high-impact legislation such as the GDPR can be a huge project. As your organisation expands, you’ll find the task growing exponentially in complexity. If you’re relying on manual processes, spreadsheets, and paper filing systems, you’ll find it even more difficult to follow through on all GDPR compliance requirements.

Specialist HR software makes compliance easier to achieve, and implement, with tools such as dedicated GDPR dashboards. Ciphr HR’s GDPR dashboard, for instance, enables you to tell, at a glance, whether a staff member has left so you can delete or anonymise their records. This removes the need to manually sift through data to find records that you need to alter. The dashboard also helps you report on the status of employee records, enabling you to easily identify which records require action.

Other features in Ciphr HR that can help with GDPR compliance include:

Policy acceptance function – keep staff informed with your latest policies, including must-know GDPR information linked to personal data

Define data retention periods – define data retention periods for staff and volunteers leaving your organisation on the system for 30, 60, 90 days, or longer

Self-service – empower your employees to see what data you store about them by being able to access Ciphr HR any time to view and update their personal information

If you’re looking to streamline your processes and enlist specialist HR technology to help with GDPR compliance, read our guide to discover how Ciphr can help.