Performing an HR audit

09 July 2019

Conducting an HR audit on personal data is significant for organisations in ensuring compliance with the General Data Protection Regulation (GDPR). And it’s crucial you establish clear steps to take. In this guide, we’ll take you through what you need to do and explain the various laws you’ll need to consider. But remember, if you need help straight away you can contact our HR outsourcing services for a full guide through the auditing process.

How to start your HR internal audit program

The objectives of HR audits are to identify all categories of personal employee data that your business or HR department process. Another goal is to look for any areas that don’t align up to the strict data protection requirements of the GDPR. The type of information that’s considered includes:

  • The names and addresses of employees.
  • CVs and other information gathered at the recruitment stage.
  • Holiday records.
  • Any instances of misconduct.

When considering how to do an HR audit, you should establish a clear HR audit plan. First, you should identify how to undertake it. Although some larger companies may opt for contracting out this exercise, it may not be possible (or suitable) if you’re a small or medium business. In this situation, it’s advisable you use representatives from a number of areas within your company where possible, such as employees from IT alongside your HR department.

Your HR audit process steps

You should look to identify which members of staff are in charge of the data that you’re looking to audit. You’ll need to liaise with them to gather the data for your HR audit report. There are a number of ways to collect the data, but one of the best options is distributing a HR audit questionnaire for employees who are responsible for the data. A typical questionnaire should consider a number of areas, including if:

  • Existing company policies and procedures for processing this specific data need amends in line with GDPR requirements.
  • There’s a lawful basis for processing this form of data.
  • The employees responsible for the processing of this data are fully trained in data protection requirements.
  • You’ll have to transfer the data to third parties, such as the HMRC (if there’s a legal basis for this).

This functions as an HR audit survey, allowing you to gather the information you require to determine any issues. Following completion of the questionnaire, record all the information you have in a form. You can then use this to understand if there are any changes you’ll have to make to your existing company processes. And there’s a specific way you can go about this to make your task easier.

Managing results with an HR audit checklist

Once you have all of your data, you’ll want to establish a way of covering every essential point you’ve highlighted. You can do this with ease—all you have to do is create an HR compliance audit checklist. A typical HR compliance audit checklist should specify category of personal data and outline how different aspects of current processing procedures, such as the legality of processing the data and the qualifications of those responsible for it, do meet the requirements of the GPDR. Alongside the use of an internal audit checklist for the HR department. It may also be advisable to produce an HR audit executive summary that can summarise the key findings of the audit and its implications for the company. The GDPR also imposes an obligation on organisations with 250 members of staff or over to maintain a ‘record of processing activities’. This is essentially a data register that you should make available upon request. A properly constructed HR internal audit programme can assist organisations to comply with this as it helps to ensure most of the information is already available.

Need help with your audit?

Get in touch and we’ll guide you through the often complex process of a full HR health check. Contact us today on 0800 028 2420.

Suggested Resources