20 GDPR questions for European HR Teams

11 / 01 / 2018

In many organisations across Europe, HR teams will be integral to GDPR compliance as much of the data affected by the new law will relate to employees.

Time is running out to start the process of ensuring compliance for May 2018, so below we provide a simple checklist of questions to address in the context of employee data:

  1. Where is your employee data stored?
  2. Are you storing old data that is no longer required?
  3. Can you safely destroy or delete it?
  4. Who is processing employee data, your organisation or a third party?
  5. Do you need to have new agreements with third party service providers (such as payroll, Software as a Service, and data storage) that are GDPR-compliant?
  6. Are any of your third party service providers or companies within your corporate group located outside the EU, and if so, do you have a mechanism in place to enable the legal transfer of employee personal data?
  7. Why are you storing or processing the data and do you need to continue?
  8. Do you have a lawful reason to process the employee data?
  9. Do you rely on employees’ individual consent for any processing and have you obtained it?
  10. Do you need to obtain new or different consent under GDPR?
  11. Do you need to put in place privacy statements for existing or new employees?
  12. What mechanism or platform will you use to make people aware of privacy statements?
  13. What technical and organisational measures (such as layered access policies, staff vetting and data protection training) do you have in place to protect employees’ personal data?
  14. Do you have a data breach policy?
  15. Do you have in place a policy to deal with employee subject access, right to be forgotten requests and other data subject requests under the GDPR?
  16. Do you monitor your employees, using CCTV, electronic communications (including social media) and/or systems monitoring, or location tracking, and is your monitoring GDPR-compliant?
  17. Do you carry out privacy impact or data protection impact assessments before performing any new data processing operations?
  18. Do you maintain a register of your data processing activities?
  19. Do you have a data protection officer, or DPO?
  20. Are you ready to start?

Wedlake Bell’s specialist Employment and Data Protection Teams can help you address these questions in conjunction with our European partner firms.