The first GDPR step: carrying out an audit of HR personal data

The introduction of the General Data Protection Regulation (GDPR) on 25th May 2018 will change the way employers have to handle and secure their employees’ personal data. Carrying out an HR data audit in advance will help employers understand how data is collected, used and stored in their business.

1. What does an HR data audit look like?

Essentially, the HR data audit is a process to identify the life cycle of HR data within the company, from collection through to deletion. The audit will look different depending on the type of business, how much data is collected and used, and what internal data processes are already in place.

It’s important to remember that HR data processes apply to individuals other than current employees, for example, data is collected in relation to unsuccessful job applicants, it can be received from different sources e.g. references from previous employers, and data concerning ex-employees will be stored for a period after their employment terminates.

2. Put a plan in place

Before the audit takes place, a process plan can be agreed which identifies how the audit will take place and who will carry out the audit. Usually, HR representatives will be best placed to undertake the audit with additional support from other departments, such as IT or legal. Alternatively, a newly appointed data protection officer or external firm can provide an expert take on the audit. The individuals or departments who need to be spoken to as part of the audit can also be outlined in advance, such as payroll, recruitment and software.

3. Prepare questions

To carry out the data audit, a standard questionnaire or form can be designed which contains the necessary questions to fully understand how data is collected, used and stored. Standard questions include:

• What kind of data is collected?
• Where is data stored?
• How is the data used?
• How long is data kept for?
• Who has access to the data, both internally and externally?
• What procedures or controls are in place to protect the data?

The lawful basis for processing the data will also need to be catalogued to ensure there is a valid, lawful basis for this, especially as GDPR has introduced changes to previous lawful bases such as ‘consent’.

4. Monitor compliance once the audit is complete

Once the audit is complete, an HR data report can be created showing the data life cycle.

The report can then be used to identify areas where current systems or policies are not compliant with GDPR obligations. Where non-compliance is identified, the business will need to outline the steps they will take to rectify this to ensure they are not breaching GDPR once this is in force. Pre-emptive action now could prevent a costly fine.

Suggested Resources