GDPR in the workplace: Everything you need to know

The GDPR – or General Data Protection Regulation – is the gold standard of data privacy and security laws. It applies to any business that handles the data of any EU resident, not only those operating in the EU. 

The GDPR contains an array of legal terms, but here are five of the most important ones. 

1. Personal data: Any information that relates to an individual that can directly or indirectly identify them. 

2. Data processing: Any action performed on data, including collecting, recording, organising, storing and erasing it.

3. Data subject: The person whose data is processed, such as an employee.

4. Data controller: The person or entity responsible for how and why data will be processed.

5. Data processor: A third party that processes data on your behalf, such as Google or Microsoft – or an HR tool such as Personio.

Article 5 of the GDPR, sets out the principles for processing personal data. When it comes to your employees, their personal data must be:

• Processed lawfully, fairly and transparently. You need to request your employees’ permission to process their data and tell them what you’ll do with it.

• Collected for specific, explicit and legitimate purposes. You can’t process information for any reasons you haven’t specified.

• Adequate, relevant and limited to what is necessary. Don’t collect and process more data than you need to. For example, you probably don’t need to know your employees’ children’s names.

• Accurate and kept up to date. If any data subject’s information is incorrect, it must be fixed as soon as possible. 

• Kept only for as long as is necessary. It can only be kept for longer than this if it’s in the public interest, or for scientific, historical research or statistical purposes, in accordance with Article 89.

• Processed in a way that ensures the data is protected against unauthorised and unlawful processing. You should also not accidentally lose employee data, or destroy or damage it.

The details about what information you collect, why and how you process it, and how your employees can access or modify it should be laid out in a data protection policy (also known as a document retention policy or a records management policy).

Processing employee data – and, usually, a huge amount of it – is part and parcel of running a business. HR teams in particular handle the sensitive personal data of employees every day, whether it’s through onboarding new people or reviewing performance bonuses.

Under the GDPR, all organisations that handle the data of employees who live and work in the EU must comply with the regulation, even if the main business operations are carried out in another country or region.

As a result, everyone on your HR team needs to be aware of what type of employee personal data they’re allowed to share and with whom. Not everyone in the organisation has the right to access or process the information of employees.

When obtaining an employee’s data, you need to get their consent, so that you can process their data lawfully. According to Moore Barlow Attorneys, this kind of processing would include: 

• Performing the duties laid out in a data subject’s employment contract

• Complying with the legal obligation to report employee salaries (e.g. to HM Revenue & Customs (HMRC) for UK-based organisations)

• Protecting the vital interests of a data subject in matters of life and death

• Tasks carried out in the public interest (most relevant to public authorities)

You also need a data controller who must be able to prove compliance with the Article 5 data protection principles. It’s a good idea for this person to ensure that certain data protection-related clauses are included in contracts and that employees receive training about processing data. 

The GDPR sets out stringent requirements for any business that handles the personal information of EU residents. Having employee’s data on hand is important, but can create challenges if:

• You don’t have legal professionals on your team. For companies that are smaller, there might not be resources available to employ a legal professional who is well-versed in the GDPR.

• Employees are joining or leaving your organisation frequently. What information do you collect when an employee joins? What data do you destroy when they leave? And when do you destroy it?

• Employees are unaware of the regulations. All employees, whether in HR or not, need to know their own and others’ rights around their personal data.

It can be difficult for companies to know exactly how to comply with the GDPR, especially those that don’t have a data protection officer. Fortunately, you can follow the five steps below to help ensure that your organisation adheres to the various rules.

The GDPR might be sizable, but its provisions are laid down as simply as possible so that everyone can understand them. It’s important for all employees, particularly those in HR, to know how it works and their obligations — even if you have an expert on your team. 

Take time to figure out which provisions of the GDPR are applicable to your business (you’re making a great start by reading this article) and give them a thorough read. You can also make use of resources like the GDPR website.

Your company’s data controller will be responsible for developing the compliance framework. This might be the owner of the business or someone else appointed to the position. 

This individual should create a comprehensive compliance framework that clearly defines how the company will process, store and otherwise handle employee information, and what tools and programs they’ll use to do this. 

Compliance is a team effort. Your data controller and data protection officer (if you have one) are the people who are closest to your company’s compliance efforts, but they aren’t the only ones who need to know about the GDPR and its requirements.

You need to educate all employees about how they must handle other employees’ data. For example, you could send out a document that includes the basics of the data protection law and then quiz employees about it to test their competency. 

HR compliance software can relieve the stress of staying GDPR-compliant. It can streamline all data compliance processes across the employee lifecycle and help you stay ahead of regulatory compliance changes. 

This software helps you ensure that your employees’ digital records are accurate, up to date and that their safety and security is ironclad. For example, Personio centralises employee information in digital personnel files, making it easy to locate, access and secure this data.

Part of data protection legislation is to maintain clean, compliant and accurate records. That’s why it’s vital that your HR department conducts internal audits regularly to ensure your organisation is GDPR-compliant. 

If your team finds that data isn’t being processed properly, they should first fix the issue and then adjust their strategies to ensure that the problem doesn’t crop up again.

Sensitive data passes through HR departments on a daily basis, which can make complying with GDPR in the workplace tricky. This is why it’s so important to have a framework that helps you to handle data appropriately. 

Personio makes it easy for businesses to get and stay GDPR-compliant. When you use it, your company data is organised and stored in a structured format. You can easily set access rights according to user roles, including administrators, account owners and contract owners. 

Personio’s recruitment software also helps you to implement a GDPR-compliant data privacy statement on your careers page to make candidates aware of their rights, what data you will process and how. Plus, you can also anonymise candidate data, further protecting their data. 

Our HR management system enables you to keep all of your HR data secure and accessible in a clear, organised database that will save you time and help you meet all of the requirements of the GDPR for your workplace.

Discover secure HR software that helps you stay compliant

Personio’s specialised platform protects HR and employee data – keeping you compliant with the GDPR.

Learn more

The GDPR governs what data a company can collect about its employees and what it’s allowed to do with that data. Article 5 is particularly important for companies. It lays down seven important GDPR requirements. 

Article 5 sets out seven key principles around processing personal data. These are: 

1. Lawfulness, fairness and transparency

2. Purpose limitation

3. Data minimisation

4. Accuracy

5. Storage limitation

6. Integrity and confidentiality

7. Accountability