GDPR: How to do a data audit and avoid a massive fine

Peninsula Team

May 01 2018

If you’ve been putting off getting ready for the General Data Protection Regulations (GDPR), you won’t be able to for much longer. The EU’s new data protection laws come into force on 25th May 2018, and we can’t stress enough how important they are. You need to make sure you use and store data properly—not just your customers’ but also that of your employees and job candidates. If you don’t, you could face a fine of up to 4% of your annual turnover or €20 million (about £17 million), whichever is higher. The easiest way to make sure the way you gather and use HR data is in line with GDPR is to do a data audit. This will help you understand what your current data procedures are, and whether you need to change them. Start with a plan Before you begin, decide who’ll do the HR audit and how. The best people would be your HR, IT and legal staff. If you don’t employ anyone in these roles, you may need to do it yourself. You could also appoint a Data Protection Officer, or get an external company to do it. The latter might be the better option since they may have more specialised expertise. Make a list of the departments you need to speak to as part of the audit. These include payroll, recruitment and IT (once again, assuming they exist). What you need to gather The HR audit will determine what type of data you collect on your employees and how you use it. Remember that GDPR applies not only to the data you have on your current employees, but also to any information you gathered about unsuccessful job applicants and ex-employees. If your data came from other organisations, such as references from previous employers, you need to include this in your audit as well. How to gather data on your data Come up with a questionnaire or form that asks each department:

  • What kind of data do they collect?
  • Where do they hold the data?
  • How do they use it?
  • How long do they keep it for?
  • Who has access to the data? Can any external organisations access it?
  • What procedures, systems and controls are in place to secure the data?

You also need to work out why you’re gathering data. For employee data, this is likely to be because you need it to honour their contract. For example, you need their bank details to pay them. What happens next? After you’ve finished your audit, you should create a report that shows all the HR data you hold. It’ll help you see what happens to HR data after you’ve collected it, and show where you need to do better. If the audit shows that there are areas where you’re lacking, you need to outline what action you’ll take to come into line with GDPR. And if the Information Commissioner’s Office (ICO) ever pays you a visit, you’ll be able to show them that you’ve taken steps to obey the law. The deadline to comply a few weeks away, so if you haven’t already, you need to act now. Alastair Brown is Chief Technological Officer at BrightHR: a trailblazing people management software company. Alastair is responsible for driving forward BrightHR’s expansion plans and the management of the businesses technological needs. He also speaks regularly to the media on the latest tech and data developments with his commentary profiled in many national and trade publications.

Suggested Resources