Preparing for the General Data Protection Regulation (‘GDPR’) may, unsurprisingly, feel like a daunting exercise for HR professionals. However, one of the best ways to start the process – and appreciate the scope of the overall task ahead – is to conduct a HR data audit either as a standalone exercise or as part of an organisation-wide data audit process.
HR data audit
HR professionals have access to some of the most sensitive personal information a business holds. This can include a wide spectrum of employment data, including anything from simple holiday records to the outcome of controversial disciplinary investigations, medical information to CCTV footage of the staff car park. Businesses are also likely to process significantly more employment data than in other contexts (such as about customers or suppliers) complicating matters even further.
As the GDPR places greater obligations on employers to inform employees how their personal data will be processed – and justify the grounds for doing so – it is critical that HR professionals understand the existing practices, policies, procedures and processes in place, which concern HR data.
To do so, a key starting point is to carry out a HR data audit: a comprehensive review of the ways in which such data is processed in a business. The audit may be part of a wider data audit process in the business and therefore communication with the relevant stakeholders in the business will be key for alignment and consistency.
The actual audit process will depend on the location or source of the data, the quantity and types of HR data being processed, not to forget the budgetary constraints or resources of the business. There is no prescribed way to carry out an audit process; however, its key purpose is to identify the types of data that is collected by employers and what is then done with it, to help validate data flows within the organisation.
In practice, the audit process may simply involve a mapping exercise, based on information in internal policies or other documents. Alternatively, it may be more appropriate to conduct the audit digitally, particularly if employees typically interact with HR in this way (for example, if they routinely use HR portals to log sickness and holidays). If there are disparate HR functions in different locations, a standardised questionnaire or due diligence form may be a sensible option to help collate the relevant information. Once all the relevant information has been collected, businesses may also consider setting up an information asset register or central repository to help organise all the collated intelligence.
Businesses should first consider who is best placed to carry out the audit. Whilst some businesses may outsource this exercise, for example by appointing an external consultancy firm and others may opt to use internal or external IT professionals, many will simply not have the resources to conduct the process in this way.
Given the pervasive nature of the GDPR, in practice the audit is likely to be managed between a combination of HR, IT, legal and any other qualified personnel. It cannot be emphasised strongly enough, that HR input must be factored into GDPR considerations as early as possible. We recommend therefore that a HR resource is identified as the HR “go-to” person for GDPR matters and that they are given the time and support required to carry out this role. It will be important for the individual responsible to develop a good working relationship with a member of the IT team. This will help them to better understand the infrastructure or plumbing behind the various flows of HR data.
Regardless of who is appointed, the individual should coordinate their efforts with any wider GDPR team within the business to ensure the audit is both thorough, efficient and avoids duplication of efforts.
The audit process should track all HR data from the moment a candidate applies for a job until their employment has been terminated.
To understand the lifecycle of HR data in a business and conduct a thorough audit, the following kinds of questions should be asked during the process:
- What kind of data is being collected, where and why?
- How is the data used (i.e. processed) both internally and externally?
- How long is the data retained?
- Who has access to the data both inside and outside of the business?
- What procedures and controls are in place to keep data safe?
The outcome of the audit process should identify any areas where an organisation’s current data systems or processes are not compliant with the GDPR. It is at that point that the practical steps an organisation needs to take to rectify any areas of non-compliance, may be determined.
In an ideal world, the findings will identify that the organisation has robust processes in place to safely (and legitimately) handle HR data. However, if any gaps are identified, there is no immediate need to panic, as this to be expected given the onerous obligations under the GDPR. The audit process should not be seen as a hindrance and should help illustrate the areas that need to be addressed before the GDPR comes into force in May 2018. This is exactly the reason why it is so important to carry out an assessment of current HR data and related processing activities through an audit or similar process!
Top tips summary
- Assemble your HR data audit team.
- Communicate with other stakeholders in the business (such as IT, legal, compliance, business managers) as part of any wider audit and GDPR compliance process.
- Thoroughly review your practices, policies, procedures and processes to identify HR data flows.
- Start sooner rather than later to address any non-compliance with the GDPR.