Written by

Bernard Marr

Bernard Marr is a world-renowned futurist, influencer and thought leader in the fields of business and technology, with a passion for using technology for the good of humanity. He is a best-selling author of 20 books, writes a regular column for Forbes and advises and coaches many of the world’s best-known organisations. He has over 2 million social media followers, 1 million newsletter subscribers and was ranked by LinkedIn as one of the top 5 business influencers in the world and the No 1 influencer in the UK.

Bernard’s latest book is ‘Business Trends in Practice: The 25+ Trends That Are Redefining Organisations’

View Latest Book

Follow Me

Bernard Marr ist ein weltbekannter Futurist, Influencer und Vordenker in den Bereichen Wirtschaft und Technologie mit einer Leidenschaft für den Einsatz von Technologie zum Wohle der Menschheit. Er ist Bestsellerautor von 20 Büchern, schreibt eine regelmäßige Kolumne für Forbes und berät und coacht viele der weltweit bekanntesten Organisationen. Er hat über 2 Millionen Social-Media-Follower, 1 Million Newsletter-Abonnenten und wurde von LinkedIn als einer der Top-5-Business-Influencer der Welt und von Xing als Top Mind 2021 ausgezeichnet.

Bernards neueste Bücher sind ‘Künstliche Intelligenz im Unternehmen: Innovative Anwendungen in 50 Erfolgreichen Unternehmen’

View Latest Book

Follow Me

What Does GDPR Really Mean For HR Teams?

2 July 2021

One of the main challenges of HR data is the thorny issue of data privacy. With the EU’s General Data Protection Regulation (GDPR) coming into effect in May 2018, this issue is set to become even more critical for HR teams. But what is GDPR and how might it impact the work of HR teams?

What is the idea behind GDPR?

It’s fair to say that legislation has failed to keep pace with the speed at which technology and big data has advanced – particularly our ability to gather, store and analyze data. GDPR is therefore designed to enhance data protection and the right to privacy for EU citizens, giving them greater control over their personal data and how it is used.

GDPR represents a complete overhaul of the legal requirements that must be met by any company handling EU citizens’ personal data – and that includes employees’ personal data.

The implications of GDPR are not to be sneezed at. Companies who fall foul of the regulation and are found to be misusing personal information face stiff fines of up to €20m or 4% of annual worldwide turnover, whichever is the greater of the two.

Why HR teams need to get consent for employee data

Consent is a critical pillar of the new legislation, and GDPR states that companies can only use personal data for the express purpose for which it was given. For HR teams, this means employees must explicitly opt in to allow their employer to use their personal data, and they must be made fully aware of how that data will be used.

In other words, you need to be transparent with your employees about what data is being collected, for what purpose, and how that data will be used. This can be clarified through a simple data privacy statement that’s signed by employees. Then, crucially, you can only use the data for the purpose for which it was handed over; if you want to use the data for a different purpose, you should seek new permission.

Protecting employee data

GDPR also sets out strict mandates around reporting the theft or loss of personal data. While, for most companies, this is more of an issue for customer data, be aware that employee-related data is still highly personal in nature. So, in the event of any breach that affects employee data, you will need to inform the supervising authority (in the UK that’s the Information Commissioner’s Office) within a maximum of 72 hours. You’ll also have to inform those individuals whose data is affected.

Naturally, it’s far better to avoid a data breach in the first place. While hackers’ techniques are getting more sophisticated all the time, some simple processes and procedures will help protect your precious HR data. This may include data encryption and breach detection systems.

GDPR may also have training implications, since all staff should be educated on the need for good data security practices. At the very least, this means employees must never share passwords, click on dodgy links, or share confidential information with anyone who isn’t authorized. Yes, hackers are very clever. But simple human error is responsible for more breaches than you’d think, as highlighted by the example of the Boeing employee who emailed his (non-Boeing-employee) spouse for help formatting a spreadsheet. In innocently forwarding the spreadsheet, the employee potentially exposed the personal data of 36,000 Boeing employees.

Other GDPR considerations

GDPR means employees also have the right to be forgotten and to withdraw their consent, so you’ll need to think about what this means for your systems. Do you have procedures in place for deleting employee data, for instance? How many systems would be affected? Can you be sure you’re removing all trace? Does your team understand how important it is to comply with this? These are all things that need to be considered as part of your data-driven HR strategy.

It’s also very important you keep records of consent for gathering, storing and using employee data, as well as be able to demonstrate a clear business case for using the data.

What about outside of the EU?

You might be wondering what Brexit means for GDPR. Will UK companies still have to comply with GDPR once Britain exits the EU? In a word, yes. The government has committed to implementing GDPR into UK law, although, as with anything around Brexit, I suppose this could potentially change.

In any case, GDPR protects EU citizens’ personal data. So if your company handles data on employees from the EU, even if your business is not based in the EU, you still need to demonstrate compliance. In the US, for example, a new GDPR-friendly framework called Privacy Shield provides a means for stateside companies to demonstrate they can provide adequate protection, in line with GDPR, for EU citizens.

There are also specific things to consider if your business transfers data related to EU citizens outside of the EU. Say, if your company has a US office, or if a data analytics provider is based in the US, you’ll be affected by these data transfer rules. For HR teams, this means you need to ensure that any personal employee data flowing outside the EU is being handled by companies who are compliant with Privacy Shield and GDPR policies.

Enhanced data privacy in practice

Let’s look at a specific example of employee data and the privacy implications for HR teams. We’re all familiar with the recorded message that greets us when we call a customer service center: ‘Calls may be recorded for training purposes,’ or words to that effect. Telephone calls are routinely monitored for business purposes these days.

So, if your company operates a customer service or helpdesk call center, you should obtain consent for monitoring calls, both from customers and your call center employees. Any monitoring of staff communications should be clearly explained in a privacy policy, employee handbook or contract and you should get employee consent for that monitoring.

Essentially, you need to make it very clear what data you’re gathering and why. If there isn’t a clear business reason for gathering the data, you shouldn’t be doing it.

Essentially, in this stricter regulatory landscape, HR teams must strike a balance between the privacy of employees and the needs of the business, and be transparent about data activities at all times.

Read more about data privacy and the potential pitfalls surrounding HR data in my new book Data-Driven HR. It’s packed with real-life examples and practical ways HR teams can positively use data and analytics to deliver maximum value.

Business Trends In Practice | Bernard Marr
Business Trends In Practice | Bernard Marr

Related Articles

6 Roadblocks Stopping Web3 And The Metaverse Becoming A Reality

With the emergence of the metaverse and web3 technologies, it’s clear that the next evolution of the internet is already underway.[...]

The Future Of Factories: 3 Ways To Navigate The Industrial Metaverse

What is the industrial metaverse, you ask? Well, we’re not talking about a separate metaverse exclusively for manufacturers..[...]

The Five Questions Every CEO Must Answer About Sustainability

The future of business is green. As a CEO, the ball is in your court to make sustainability an integral part of your corporate strategy.[...]

Debunking The Top 5 Quantum Computing Myths

It makes sense that most people don’t understand quantum computing.[...]

Mastering Teamwork: Top 10 Strategies for Better Collaboration at Work

The nature of teams may be changing as more and more people work remotely, but the truth is businesses will always want people on their teams who can work well with others.[...]

Personalization Pitfalls: 5 Common Mistakes To Avoid For Effective Marketing

Targeted mass marketing was developed by direct mail businesses in the 1960s and 1970s to enable customers to be segmented by age, geography, or income.[...]

Stay up-to-date

  • Get updates straight to your inbox
  • Join my 1 million newsletter subscribers
  • Never miss any new content

Social Media

Yearly Views


View Podcasts