GDPR for HR departments: questions and answers by Reward Strategy and Helen Farr

June 7, 2017

Speaking to Reward Strategy, partner Helen Farr answers questions about the impact GDPR will have on HR departments when it comes into force on 25 May 2018. Read our Top tips for HR on GDPR here.

Reward Strategy: In your view, how onerous will compliance with the incoming GDPR regime be for HR departments?

Helen Farr: While the GDPR builds on many of the principles of the Data Protection Act 1998 (DPA), there are new elements, as well as some practices which will need to be done differently. Penalties for non-compliance with the GDPR will also be much higher with fines set at the greater of 20 million euros or 4% of global turnover, so it is important to get it right.

The impact of this cocktail of change will be a lot of work for HR departments. As a minimum, we expect HR teams to be responsible for undertaking the following:

  • a data inventory and mapping exercise to understand what data they have, how it is used and what third parties are involved in processing;
  • a gap analysis to work out what compliance steps are needed;
  • a review of privacy policies, data retention policies and incident response plans;
  • drafting revised staff data protection policies and communications monitoring policies;
  • a review of recruitment and selection processes and the use of data in these processes;
  • a review of contracts of employment and policies and how the business uses employee data;
  • a data privacy impact assessment;
  • training staff on data protection;
  • if the business has global offices and personal data is commonly sent internationally these processes will need review.

RS: What is the likely profile of a data controller/data protection officer (DPO) and will the necessary skill sets already reside in the organisation – for instance, in the HR or payroll function?

HF: Some companies will have employees working in HR or payroll with the right skills to undertake the role of data controller or DPO but this will not be the case for all.

A DPO is a new legal requirement and must be appointed by businesses who:

  • are a public body;
  • carry out regular and systematic monitoring of individuals on a large scale; or
  • carry out large-scale processing of special categories of data or data relating to criminal convictions.

The DPO will be the first point of contact, internally and externally, in respect of data protection matters. A DPO is expected to have professional experience and expert knowledge of data protection law, and must have adequate resources to do the job and report to the board on data protection issues. Therefore, organisations should consider whether they currently have a member of staff who has such expertise or if an individual has the ability, interest and skill sets to acquire such knowledge.

It will be very difficult for a current member of staff to perform the DPO role adequately in addition to his or her existing duties. Assuming there is someone with the right skills and experience to do the job within the organisation we anticipate that for most businesses this will become a new fulltime and dedicated role which will bring with it significant responsibility.

RS: Is it yet another factor that will force organisations to outsource?

HF: Not necessarily. The GDPR places new obligations on external service providers engaged by an employer, such as providers to whom some employers may outsource their payroll function. So in an outsourcing situation, the external service provider would be required to, among other things, maintain records of personal data and implement appropriate security measures.

RS: What best practice processes will HR and payroll have to put in place to get their house in order?

HF: In many organisations, HR is taking the lead in managing the process of preparing for the introduction of the GDPR. In particular, HR should be:

  • reviewing policies and procedures currently in place and considering how they will need to be amended going forward, including data protection policies, communications monitoring, recruitment and selection;
  • amending data protection clauses in employment contracts;
  • providing training on data protection to the workforce;
  • considering the impact of transferring data overseas; and
  • looking at how data subject access requests will need to be dealt with.

RS: Where are the biggest challenges likely to be?

HF: The biggest challenge will be making sure that organisations don’t leave it too late to get to grips with the GDPR.

HR teams will also need to get the support of colleagues in legal, compliance and commercial teams with responsibility for dealing with the other data that is processed within their organisation. Data protection is a team sport. Employers should not underestimate the scale of the task ahead, as there is a lot to do to achieve compliance by May 2018. The key message is take action now, consider how the GDPR is likely to impact on your organisation and take advice from your legal and compliance advisers if needed.

RS: How will employers have to demonstrate compliance?

HF: Although there is an existing duty under the DPA for an employer to comply with data protection principles, employers will have to demonstrate compliance under the GDPR.

In practice, this means that, as a minimum, employers have to maintain adequate records of the data they are processing. They will also need to have data protection policies in place that show the processing of employees’ personal data is performed in compliance with the GDPR. Employers will also need to be able to show they have implemented such policies, for example through staff training and audits.

If things go wrong and there is a personal data breach (meaning a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal data) the GDPR introduces a legal requirement to report this. The GDPR requires businesses to notify the Information Commissioner’s Office (ICO) of a data breach without undue delay and within 72 hours (unless the data breach is unlikely to result in risk to the individual).

If the breach is likely to result in high risk to the individual, businesses must also inform data subjects “without undue delay” unless an exception applies. There is also a new requirement to keep an internal breach register.

In conclusion, it is important to have in place the right procedures to detect, report and investigate a personal data breach. It is also best practice to develop an incident response plan for managing data breaches.

There is much at stake. Failure to report a breach when required to do so could result in a fi ne – as well as a fi ne for the breach itself.

Related pages:

Employment law team more

General Data Protection Regulation (GDPR) more

icons Addthis Print Contact Register


tel: +44 (0) 20 7628 2000
10 Finsbury Square, London, EC2A 1AF
View map

For more information


Helen Farr
Direct dial: +44 (0)20 7614 2623


  • Top Ranked Chambers UK 2014 - Leading Firm
  • Ranked in Chambers Europe 2013 - Leading Individual
  • Ranked in Chambers Global 2014 - Leading Firm
  • Legal 500 - Leading Firm
  • The Lawyer UK 200 - Listed Firm
  • The Law Society Excellence Awards 2012 - Shortlisted
  • Investors in People - Bronze