Resources
Post a Job
 Special offer 

Jumpstart your hiring with a £100 credit to sponsor your first job.*

Sponsored Jobs posted directly on Indeed are 65% more likely to report a hire than non-sponsored jobs**
  • Visibility for hard-to-fill roles through branding and urgently hiring
  • Instantly source candidates through matching to expedite your hiring
  • Access skilled candidates to cut down on mismatched hires
*The £100 Sponsored Job credit offer is only available for new accounts in the UK that post a job and expires one year after account creation. Upon expiration of the credit, users are charged based on Sponsored Job budget. Terms, conditions and quality standards apply **Indeed data, United Kingdom, Q2 2024

Data protection and HR GDPR for employers

Edited by Indeed Employer Content Team

Your next read

Company Policies: 6 Policies to Consider for Your Business
Gender Equality in UK Workplaces
What is people analytics?
Company Policies: 6 Policies to Consider for Your Business
Gender Equality in UK Workplaces
What is people analytics?
Stages of the recruitment process for SMEs
HR shared services
Effective Business Partnering: A Guide to HR Models and Mindsets
Our mission

Indeed’s Employer Resource Library helps businesses grow and manage their workforce. With over 15,000 articles in 6 languages, we offer tactical advice, how-tos and best practices to help businesses hire and retain great employees.

Read our editorial guidelines
10 min read

For your company’s HR team, GDPR or the General Data Protection Regulation is an important data protection regulation to stay up to date with. This is because your HR team is primarily responsible for employee data in areas like recruitment information, people data analysis and performance strategy analysis. See more: How to Write an Employment Verification Letter

Ready to get started?

Post a job

Ready to get started?

Post a job

Why is HR GDPR compliance important?

The Data Protection Act 2018 and General Data Protection Regulation (GDPR) came into play in order to protect individuals’ misuse of data in the digital age. Negligence of both the Data Protection Act and the GDPR can result in prosecution and heavy penalties for your company.

It is up to you as the employer of your HR team to create policies that are aligned with GDPR and Data Protection Act 2018 rules. You must also make sure that your team understands the terms and conditions of both the GDPR and the Data Protection Act 2018 thoroughly, as well as the policies you build around them. In order to create policies that are correctly aligned with the GDPR in the UK, you should take legal advice. This can include areas like:

  • How to deal with possible GDPR breaches in your company;
  • Creating a GDPR ‘health check’, whereby a legal team assesses which areas need data protection and develops a compliance plan for your company;
  • Gaining a greater understanding of what compliance with the GDPR entails for your company;
  • Deciding whether you are a data processor or data controller;
  • Providing advice to your HR team on following the GDPR;
  • How to gain consent from your customers and how you plan to use their data;
  • Creating GDPR contracts.

UK data protection legislation and legal bodies

You should make sure that you understand the legislation around data protection in the UK if you are processing customer or employee data – in other words, if your HR team is processing people’s data. There are three acronyms that you should remember for appropriate HR GDPR compliance, as they will be mentioned frequently throughout the article:

What is the Information Commissioner’s Office (ICO)?

The Information Commissioner’s Office (ICO) refers to the body that promotes and ensures the protection of data through legislation. Although it works with legislation, the ICO operates separately from the UK government. You can contact the office in order to find out more about how to comply with the Data Protection Act 2018.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a regulation that ensures people have a right to access data that organisations hold on them. Part of the GDPR is the obligation to manage their data safely and correctly. According to the GDPR, individuals have the following rights with regard to the collection of their personal information:

  • Individuals have the right to be informed about the collection of their personal data;
  • They have the right to access this data;
  • They have the right to rectify this data;
  • They have the right to erase this data;
  • They have the right to restrict your processing of this data;
  • They have the right to data portability;
  • They have rights in relation to ‘automated decision-making and profiling’.

You should be able to show that your employees have been correctly informed of the collection and reasons for processing their data, including an explanation of how you are planning to use it. Employees must consent verbally or in writing to the processing and collection of their data. You must listen to any complaints they may have about how you plan to follow data protection policies.

What is the Data Protection Act 2018 (DPA)?

The Data Protection Act (DPA) works alongside the GDPR to provide people with rights in relation to your processing of their personal data. The DPA states that all data processors must follow certain rules around how they use the data they collect from individuals (‘data subjects’). Data subjects have certain rights regarding their own access to this data.

How to create an HR action plan in compliance with the GDPR

Create an action plan with your HR team to make sure that your whole organisation is complying with the GDPR. This can involve the following HR GDPR initiatives:

  • Assigning the role of data protection officer to help ensure business-wide compliance;
  • Assessing your current data systems, including the security of these systems;
  • Assessing how you are currently using sensitive personal data;
  • Regular monitoring of HR GDPR and company-wide GDPR compliance;
  • Checking the security of any international transfers of data that you make;
  • Reviewing your current policies and data handling practices surrounding personal references or the use of email, telephone or other mail delivery services.

Once you have a good understanding of the DPA and GDPR in terms of your responsibilities, you should work out your role in the processing of a subject’s data. This is important, as depending on your role in the processing of their data, you may have greater responsibilities under the GDPR.

Deciding whether you are a data processor or data controller, or a joint data controller

An important part of working out which areas of the UK GDPR you need to comply with is working out whether you are a data processor, data controller or joint controller. All data controllers are primarily responsible for following the GDPR, and if you are one, make sure you understand fully what this entails.

Data controllers

A data controller decides how the data collected will be processed. If you are a data controller, you must make sure that you strictly adhere to the GDPR and DPA; you have the most responsibility to do so. If you fail to comply with the GDPR and DPA, the Information Commissioner’s Office may take action against you as the controller.

You are a data controller if:

  • You collect personal data for the purposes of your company processing it;
  • You and your company decide the reason for processing the data;
  • You get to decide whose data you are collecting;
  • You are collecting data from your employees;
  • Your relationship with the individuals you are collecting data from is direct;
  • You have decided who will be processing the data;
  • You are collecting data for your own commercial benefit;
  • You have a contract drawn up between you and your data subject that says you can collect their data.

If you are in any doubt about whether you are the sole controller of data, then you must seek the appropriate legal advice on the matter.

Joint controllers

Being a joint controller is very much like being a controller, except you are working with another controller to handle data. You must decide who is to take primary responsibility for following the GDPR, however all joint controllers must make sure that they comply with the regulation.

You are a joint controller if:

  • You are working with another controller on fulfilling the same processing objective;
  • You are processing data for the same reason as another controller you are working with;
  • You and another controller are both using the exact same sets of data for processing;
  • You created your data process with another controller;
  • Another controller is sharing your information management rules.

Regardless of whether you are responsible for the primary role of following the GDPR, all joint controllers should follow the GDPR, as failure to comply may result in prosecution and action may be taken against you by the Information Commissioner’s Office.

Data processors

A data processor is responsible for processing the data of data controllers. You are working as a data processor if:

  • You are processing data on behalf of a data controller;
  • You are not responsible for deciding the reason for the collection of this personal data;
  • You are not responsible for deciding to collect the personal data;
  • You are not responsible for whether this data should be disclosed, including to individuals;
  • You are not deciding the lawful reasons for the collection of this personal data;
  • You are not responsible for the end result of the processing of the data you have collected;
  • A third party has given you the data.

Although being a data processor means you have fewer responsibilities for following the GDPR than the data controller, you must still make sure that you follow all obligations for data processors under the GDPR.

What does ‘processing’ mean according to the UK GDPR?

According to Article 4 of the GDPR, ‘processing’ means: ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

Types of data your HR team might be processing

There are two main types of people data that your HR team might be processing.

They are the following categories:

  • Personal data, which includes identifiers such as location, name or identifying number, as well as any other notes or appraisals;
  • Sensitive data, which includes criminal records, the status of an employee such as protected characteristics like race, sex, religion, health, sexual orientation, plus any trade union information and genetic or biometric data such as fingerprinting.

Health data can only be provided to you with the consent of the individual, regardless of whether they are a candidate or employee. You may want access to health data for processing if you want to assess the workplace needs of that employee, or to confirm employee diagnoses with the correct authorities.

Processing personal data vs special category sensitive data

Personal data deemed to be sensitive data has to be processed in accordance with specific conditions according to the GDPR, and is more protected. According to thee ICO, in order to process this data you must: ‘identify both a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9’. There are also ‘10 conditions for processing special category data in Article 9 of the UK GDPR’ and ‘Five of these require you to meet additional conditions and safeguards set out in UK law, in Schedule 1 of the DPA 2018.’ You will also need an appropriate policy document and to complete a data protection impact assessment for the processing of high-risk data.

What penalties are there if I do not follow UK GDPR rules?

If your HR department does not follow the GDPR correctly or fails to address any concerns through an enforcement notice or working with inspection, then you may receive large penalties. If you have created a serious breach of the GDPR, your penalties could include a fine of 4% of global annual turnover or up to £17.5m. However, these fines are extremely rare and reflect the most grave implications of a GDPR breach, such as threat to life or the UK economy.

Adhering to the GDPR and DPA is a primary concern for your organisation, especially your HR team and their processing of data such as personal and sensitive data on your employees. You must make sure that you familiarise yourself with all points of the GDPR and DPA, making sure that you have a legal team advising you on any company policy you create around adherence to current UK government legislation on data protection.

Make sure that you understand what personal and sensitive data looks like. You should also familiarise yourself with the appropriate processing of special category sensitive data. Failure to process personal and sensitive data correctly could result in serious penalties and/or fines from the Information Commissioner’s Office. It is a good idea to create an HR GDPR action plan, with your HR team communicating processes for correct GDPR compliance to your entire company. Ensure that you have a data protection officer to help you do this.

Recent HR Policies Articles

See all articles in this category
Create a culture of innovation
Download our free step-by-step guide on encouraging healthy risk-taking
Get the guide

Three individuals are sitting at a table with a laptop, a disposable coffee cup, notebooks, and a phone visible. Two are facing each other, while the third’s back is to the camera. The setting appears to be a bright room with large windows.

Ready to get started?

Post a job

Related articles

A guide to SMCR conduct rules
Read article
Understanding Casual Contracts: Types, Rights, and Differences
Read article
TUPE Meaning Introduction
Read article

Indeed’s Employer Resource Library helps businesses grow and manage their workforce. With over 15,000 articles in 6 languages, we offer tactical advice, how-tos and best practices to help businesses hire and retain great employees.

Read our editorial guidelines