The EU and UK General Data Protection Regulations

Essential compliance for HR

As the collectors, processors and custodians of huge amounts of personal data, HR professionals are at the front line of data compliance. Here is what you need to know about assuring EU and UK GDPR compliance, and how Cezanne HR’s GDPR-compliant HR system will help.

  • The General Data Protection Regulation (GDPR) came into effect on May 25th 2018 and applies to the processing of ‘personal data’ of EU residents.
  • As the UK has left the EU/EEA, the EU GDPR regime no longer applies to the UK. It has been replaced by ‘the UK GDPR’. While allowing for future divergence, this is largely the same as the EU rules.
GDPR management system

The key requirements of EU and UK GDPR for employee data

How do the EU and UK GDPR regimes impact HR?

 

Data Security

Data relating to an ‘identifiable person’, whether on paper, in a spreadsheet or held in your HR system, must be processed in a manner that ensures its security.

Data Accuracy

Personal data must be accurate and complete, and put right when it is not. The ICO recommends providing data subjects with self-service access to their data.

Data Retention

Personal data should be deleted or anonymised once no longer require for the lawful or legitimate purpose it was initially collected.

Transparency

You are required to provide information to employees about how (and why) you collect, manage, use and secure their data, and the rights they have over it.

Consent

Should you need to obtain consent to process personal data, it must be specific, granular, easy to understand, freely given, affirmative and recorded.

Awareness

GDPR compliance is a company-wide issue, and HR teams have an important role to play in ensuring employees are appropriately trained and for encouraging a culture of data privacy.

Subject Access Requests

Individuals have the right to request and receive a copy of their personal data in an accessible and secured format within a specific timeframe (usually one month).

Restricted Processing

Employees can request that the processing of their data is restricted, or their data irretrievably removed. This must be balanced with your own legal and lawful needs.

Data Portability

Data subjects (e.g. your employees or job candidates) can ask for a copy of their personal data in a ‘structured, commonly used and machine-readable format’.

 


Please note: the information on this page is for general guidance only and is not legal advice. For further information about the requirements of the General Data Protection Regulation please visit the ICO website.

If a business can’t show that good data protection is a cornerstone of their practices, they’re leaving themselves open to a fine or other enforcement action that could damage bank balance or business reputation.

Data Adequacy

Assuring the flow of data between the EU/EEA and the UK

For any organisation with an international workforce, the free flow of HR data between different geographies is essential to assure informed decision-making and effective HR processes.

It is important to be aware that different requirements apply depending on where employees are resident and where their data is processed, so you can be sure you have appropriate processes in place.

In the context of the EU, the flow of data is reliant on data adequacy, a status granted by the European Commission to countries outside the EEA who provide a level of personal data protection comparable to that provided in European law. At the current time:

  • The EU has agreed to allow personal data to flow freely from the EU/EEA to the UK for 6 months from 1st January 2021 pending an adequacy decision.
  • The UK had already agreed, on a transitional basis, that data flows from the UK to the EU/EEA can continue.

How Cezanne HR helps

Powerful features we're sure you'll appreciate

 

Single Data Source

With all your HR data and documents stored in one secure system, you’ll know where everything is, all the time. No more paper files or hard-to-track spreadsheets.

World-Class Security

From data encryption to IS027001 certification and independent penetration testing, Cezanne HR is designed to keep your data safe. Read more about security here.

Automated Data Management

Smart tools allow you to configure your Cezanne HR system to automatically delete or anonymise data based on your rules, saving you hours of time.

Secure Self-service

Employees can check and update their own information, so accuracy is improved, admin reduce and, with workflow authorisations built in, you stay in control of data integrity.

E-Signatures

Integrated document generation means it is easy to distribute and track important information, obtain consent when needed, and see when documents haven’t been signed.

Information Hubs

Embedded HR portals and workspaces make it easy to share best-practice advice and ensure everyone knows where to go to find the latest policy documents and guides.

Data Export

Straight-forward reporting and export to Excel helps you respond to data portability or review the data you hold for Subject Access Requests.

Training Visibility

Easily keep on top of compliance training needs and activities and automatically trigger reminders when training or certification need updating.

Compliance Culture

Encourage a security-first approach by embedding it in all of your HR processes, from everyday communications to performance reviews.

You might also like…

 

open gi case study

Open GI case study

Open GI’s old HR software was clunky to use and required far too much manual data input. Read more about how Cezanne HR revolutionised the way Open GI operates, saving time across the business.

Read Free Guide

People at desk with GDPR in backgorund

GDPR: Building a culture of responsibility

Having rules in place doesn’t mean everyone follows them. Drawing on research from Deloitte, discover how to build and maintain a culture of personal responsibility.

Learn how-to

Risk meter pointing at high

Could your HR record-keeping put your business at risk?

Reliable data and data management isn’t just important for the General Data Protection Regulation. Discover what else could go wrong if you don’t keep accurate records.

Read the blog

Sign up to our Newsletter

Subscribe Now