GDPR: How to do a data audit and avoid a massive fine

  • Data Protection
Peninsula Logo

Peninsula Group, HR and Health & Safety Experts

(Last updated )

Read our article: 'GDPR: How to do a data audit and avoid a massive fine'. Contact us today for more information about our Employment Law, Health & Safety, and HR services.

If you’ve been putting off getting ready for the General Data Protection Regulations (GDPR), you won’t be able to for much longer. The EU’s new data protection laws come into force on 25th May 2018, and we can’t stress enough how important they are. You need to make sure you use and store data properly—not just your customers’ but also that of your employees and job candidates. If you don’t, you could face a fine of up to 4% of your annual turnover or €20 million (about £17 million), whichever is higher. The easiest way to make sure the way you gather and use HR data is in line with GDPR is to do a data audit. This will help you understand what your current data procedures are, and whether you need to change them. Start with a plan Before you begin, decide who’ll do the HR audit and how. The best people would be your HR, IT and legal staff. If you don’t employ anyone in these roles, you may need to do it yourself. You could also appoint a Data Protection Officer, or get an external company to do it. The latter might be the better option since they may have more specialised expertise. Make a list of the departments you need to speak to as part of the audit. These include payroll, recruitment and IT (once again, assuming they exist). What you need to gather The HR audit will determine what type of data you collect on your employees and how you use it. Remember that GDPR applies not only to the data you have on your current employees, but also to any information you gathered about unsuccessful job applicants and ex-employees. If your data came from other organisations, such as references from previous employers, you need to include this in your audit as well. How to gather data on your data Come up with a questionnaire or form that asks each department:

  • What kind of data do they collect?
  • Where do they hold the data?
  • How do they use it?
  • How long do they keep it for?
  • Who has access to the data? Can any external organisations access it?
  • What procedures, systems and controls are in place to secure the data?

You also need to work out why you’re gathering data. For employee data, this is likely to be because you need it to honour their contract. For example, you need their bank details to pay them. What happens next? After you’ve finished your audit, you should create a report that shows all the HR data you hold. It’ll help you see what happens to HR data after you’ve collected it, and show where you need to do better. If the audit shows that there are areas where you’re lacking, you need to outline what action you’ll take to come into line with GDPR. And if the Information Commissioner’s Office (ICO) ever pays you a visit, you’ll be able to show them that you’ve taken steps to obey the law. The deadline to comply a few weeks away, so if you haven’t already, you need to act now. Alastair Brown is Chief Technological Officer at BrightHR: a trailblazing people management software company. Alastair is responsible for driving forward BrightHR’s expansion plans and the management of the businesses technological needs. He also speaks regularly to the media on the latest tech and data developments with his commentary profiled in many national and trade publications.


Got a question? Check whether we’ve already answered it for you…

Related articles

  • A construction worker holding a hard hat wearing a hi vis jacket


    Asbestos conman ordered to pay back £82,100

    A conman who toured England to deceive customers over the disposal of harmful asbestos has been ordered to pay back £82,100.

    Peninsula GroupHR and Health & Safety Experts
    • Business Advice
  • A car being filled with petrol


    HMRC advisory fuel rates for company car users from 1 June 2023

    HMRC has published the latest advisory fuel rates (AFR) for company car users, effective from 1 June 2023, cutting diesel rates

    Peninsula GroupHR and Health & Safety Experts
    • Business Advice
  • Someone paying for something online with a card


    Q&A: company credit cards and EV charging

    What is the correct treatment where an employer provides an employee with a company credit card, and it is used to pay for roadside charging of an electric company car?

    Peninsula GroupHR and Health & Safety Experts
    • Business Advice
Back to resource hub

Try Peninsula for free today

See for yourself why Peninsula is the UK’s favourite HR and health & safety provider. Tap below to unlock free advice, policies, e-learning, and more.

Sign up to our newsletter

Get the latest news & tips that matter most to your business in our monthly newsletter.

International sites

© 2023 Peninsula Business Services Limited. Registered Office: The Peninsula, Victoria Place, Manchester, M4 4FB. Registered in England and Wales No: 1702759. Peninsula Business Services Limited is authorised and regulated by the Financial Conduct Authority for the sale of non-investment insurance contracts.

ISO 27001 and 9001 accredited company.
The Sunday Times - Top Track 250.
Glassdoor 2018 Best Places To Work.