GDPR belts and braces guide

Your HR team is responsible for processing employee data – recruitment & selection plus performance management, employee personal & sensitive personal information.

BY Matthew Brown

Your first priorities in securing and protecting your data is to categorise your data, define and log how and where you use it and understand the processes you use to manage the data. Importantly, in identifying all the data held within your business, it is important to address a few questions to determine what your auditable decision trail is and define any risk that you may hold e.g. potential data breach.

Here are the first 3 we recommend you address:

  1. Do you know where all your data is?
  2. Do you know if all your data is up to date?
  3. How relevant is the data to your business?

So, the main and certainly first duty under GDPR is defining where your data is stored, ensuring that it is relevant to your business needs and up to date and clean (free of mistakes and errors). It is at this stage that you will make key business decisions around how you incorporate good data management practice into employee policies and business planning. Other decisions around cyber security issues, dealing with equipment such as laptops, phones, memory sticks and any other portable device i.e. If not in use, should you destroy them, if you do use a certified destruction agent, will be at the fore front of your business mind particularly with the move towards working from home. Conducting Privacy Impact Assessments going forward on all new data processes and business projects will give you the certainty you need to feel confident in your data security and privacy compliance.

The initial audit and self-assessment will undoubtedly raise some concerns, information security will always be ongoing.  You should be thinking about what levels of access to data you grant to which employees and whether they have administrator rights to amend data (your permissions policy). Next step is to evaluate how you secure important data for your business, 90% of all breaches you are likely to be fined for will be a consequence of an Employee failing to protect the data i.e. password breach, loss of equipment with data, or targeted hacking. Again this has taken on a new urgency with the permanent move to part time working from home and the risks this involves.

“Use this to test password strength –
  1. Business or Personal Data

One of the more common words you will come across around GDPR is that of relevancy.  In simple terms you need to justify how you collect and then process the data of individuals as part of your business model.

Personal data is now more widely categorised as

‘any information relating to an identified or identifiable natural person (‘data subject‘); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.’ (Article 4)

For the majority of businesses, personal identifiable information (PII) will mean mobile or direct dial phone numbers, email addresses, postal addresses. Data such as this collected by you must be relevant to your business use and hence be justifiable. So for instance you would not ask for a person’s blood type if you wanted their details for a marketing campaign based on all-inclusive holidays for the over 50s; but you might ask them to confirm their age for relevance.

What you have to do is establish why it is relevant to you, and then look at what is a fair and reasonable use of the data using legitimate interest; to be clear the ICO have stated they would prefer you have a legitimate interest use for the data over all other permissions.

“An important note to make here is that electronic communications have a distinct set of data protection regulations (PECR) which means specific consent must be obtained for marketing using electronic communications specifically email and text message or automated phone calls”

So, whilst legitimate interest is useful, it is only appropriate where you intend to use direct mail or telephone calls, and these must be screened against both TPS and CTPS registers. We recommend that your business first addresses the relevancy of this data in its daily business environment i.e. its use, and terms of use, and how you audit its use. You must also be able to answer any request to be forgotten by an individual.

  1. Balancing legitimate interests

It is important that you balance your business requirements to use PII versus the rights of the individual, but in most cases, you will be targeting a business, using profiling to determine why you want to contact a specific target business, and not necessarily an individual, although from time to time your marketing or business data use may specify a certain identifying piece of personal data i.e. job title.

You will need to ensure any data used is relevant to you, we would also suggest you decide what is reasonable and fair use of the data, and therefore have an end date for expected use of the data, in preparing each set of data used in this way, you are establishing and maintaining good business practice, and creating an auditable trail for any future investigation of a possible breach.


Relevant updates

Dive into some further information


Why data breaches pose a threat to your business


Why collecting less data is good for business


GDPR belts and braces guide