GDPR: How to do a data audit and avoid a massive fine

  • Data Protection
Peninsula Logo

Peninsula Group, HR and Health & Safety Experts

(Last updated )

Read our article: 'GDPR: How to do a data audit and avoid a massive fine'. Contact us today for more information about our Employment Law, Health & Safety, and HR services.

If you’ve been putting off getting ready for the General Data Protection Regulations (GDPR), you won’t be able to for much longer. The EU’s new data protection laws come into force on 25th May 2018, and we can’t stress enough how important they are. You need to make sure you use and store data properly—not just your customers’ but also that of your employees and job candidates. If you don’t, you could face a fine of up to 4% of your annual turnover or €20 million (about £17 million), whichever is higher. The easiest way to make sure the way you gather and use HR data is in line with GDPR is to do a data audit. This will help you understand what your current data procedures are, and whether you need to change them. Start with a plan Before you begin, decide who’ll do the HR audit and how. The best people would be your HR, IT and legal staff. If you don’t employ anyone in these roles, you may need to do it yourself. You could also appoint a Data Protection Officer, or get an external company to do it. The latter might be the better option since they may have more specialised expertise. Make a list of the departments you need to speak to as part of the audit. These include payroll, recruitment and IT (once again, assuming they exist). What you need to gather The HR audit will determine what type of data you collect on your employees and how you use it. Remember that GDPR applies not only to the data you have on your current employees, but also to any information you gathered about unsuccessful job applicants and ex-employees. If your data came from other organisations, such as references from previous employers, you need to include this in your audit as well. How to gather data on your data Come up with a questionnaire or form that asks each department:

  • What kind of data do they collect?
  • Where do they hold the data?
  • How do they use it?
  • How long do they keep it for?
  • Who has access to the data? Can any external organisations access it?
  • What procedures, systems and controls are in place to secure the data?

You also need to work out why you’re gathering data. For employee data, this is likely to be because you need it to honour their contract. For example, you need their bank details to pay them. What happens next? After you’ve finished your audit, you should create a report that shows all the HR data you hold. It’ll help you see what happens to HR data after you’ve collected it, and show where you need to do better. If the audit shows that there are areas where you’re lacking, you need to outline what action you’ll take to come into line with GDPR. And if the Information Commissioner’s Office (ICO) ever pays you a visit, you’ll be able to show them that you’ve taken steps to obey the law. The deadline to comply a few weeks away, so if you haven’t already, you need to act now. Alastair Brown is Chief Technological Officer at BrightHR: a trailblazing people management software company. Alastair is responsible for driving forward BrightHR’s expansion plans and the management of the businesses technological needs. He also speaks regularly to the media on the latest tech and data developments with his commentary profiled in many national and trade publications.


Got a question? Check whether we’ve already answered it for you…

Related articles

  • Peninsula charity partnerships


    A word from our founder: We’re excited to reveal our new charity partners

    At the start of the year, we asked our employees to nominate charities close to their hearts. And last month, we selected three brand new charity partners for Peninsula UK.

    Peter DoneGroup Managing Director and Founder
    • Business Advice
  • man signing an important document


    Two more HR updates are set to land this summer

    Last month, we gave you a roundup of all the HR changes that happened in April 2024. And from July, expect even more...

    Kate PalmerHR Advice and Consultancy Director
    • Employment Law
  • working


    Government to tackle 'non-compliance' in umbrella company market

    A Treasury minister has confirmed that a statutory due diligence scheme for businesses using umbrella companies is being considered.

    Peninsula Team Peninsula Team
    • Employment Law
Back to resource hub

Try Brainbox for free today

When AI meets 40 years of Peninsula expertise... you get instant, expert answers to your HR and Health & Safety questions

Sign up to our newsletter

Get the latest news & tips that matter most to your business in our monthly newsletter.