GDPR for HR – Are you ready?

By February 21, 2018For Companies

On May 25th, the much anticipated GDPR comes into effect marking a host of changes to how we collect, store, manage, protect and dispose of data.

While there’s been much panicked discussion around crippling fines (up to €20 million or 4% of annual global turnover ) there’s been less about the changes that will incur these fines.

The new regulations place equal liability on the data controller and processor meaning companies could be liable for any data breach caused by third parties. In addition, the definition of personal data has broadened and individuals are now given the right of action against the data controller and processor without having to show financial loss incurred – stress or anxiety are now viable reasons for financial claim. 

Aimee O’Mahony, Jobbio’s Human Resource and Talent Manager talks us through the impact on HR departments and how to ensure you’re compliant.

“HR professionals are generally data protectors by nature and all personal data is stored securely either password protected or under lock and key- so what is new for us under GDPR?  These are a few headlines to consider:


The conditions for consent have been strengthened.  You need the data subject (that’s the employees for us) to give consent for the processing of data and processing is essentially doing anything with the data including storage.  You need to have a purpose for the processing so consider this when you seek personal data to begin with. Each time you request information ask yourself why it’s necessary and how you’ll securely store it.  Also with GDPR, consent can be withdrawn at any time by the employee so you’ll also require processes around safe data disposal. 

Right to Access

An employee can request all personal data held to be furnished to them free of charge within 30 days of the request.

Demonstrate compliance

Under GDPR, you need to show compliance as well as complying. The onus of proof is on you. This means creating policies and processes in line with GDPR. Review your current practices and develop a data protection policy that ensures you’re adhering to the new regulations. 

What do you need to do?

Start with data discovery: 

  • What type of data do I collect?
  • Where do I store it?
  • How do I delete it?
  • How long do I retain it?
  • How do I process it?
  • Who do I share it with?

If it is not stored correctly already, get your data storage in order and ensure only data with a purpose is kept. Keeping the employee’s right to access in mind at all times, move to processes that make data minimisation your best friend.

Build robust policies that demonstrate you are compliant and then educate the organisation on these policies.  On consent, if the contract of employment doesn’t state clearly and unambiguously the reasons for data processing, seek consent again.  More information on


Enjoyed this article? Subscribe to our blog.

Author Aoife Geary

Aoife Geary is the Content Editor at Jobbio specialising in the areas of Workplace Culture, Diversity, Startups and Digital Trends. She's partial to a burrito, a bad pun and living way beyond her means.

More posts by Aoife Geary

Leave a Reply