GDPR in the world of HR
Gathered around a sumptuous breakfast at Shoreditch House,
Impact-ees Tom Wachnicki and Chris Beamish were delighted to host a
group of 14 HR professionals, supported by a GDPR Practitioner
Kieron Tarling, to hold an open discussion on the new European
General Data Protection Regulations (https://gdpr-info.eu/) due to
come into force on May 25th this year.
GDPR can be highly ambiguous and decisions towards
becoming compliant for one company can be different to another,
even in the same field of business. By focusing on the immediate
needs HR teams need to address we collectively brainstormed
solutions and shared ideas to address this important
"Recruitment - how long we can save CV's for and what is
the process for elimination?"
The GDPR regulations do not stipulate how long you
can/cannot keep a subject's data so the real onus on your company
(The Data Controller) is to evaluate what is best for both the
company and the Data Subject, a balance test.
An in-house recruitment/HR team may not have similar
positions likely to become available within a reasonable time frame
and as such would have a much shorter retention policy period of
say three months, equivalent to the probation period of the
position being filled, just in case the original chosen candidate
does not work out.
The simple guidance to this question is to understand that
GDPR is saying don't collect more data than you actually need and
don't keep it any longer than it's useable. As soon as it's not
needed, delete it. Clearly set out your reasons and rational for
your policies and procedures and all should be fine
"Clarifying what consent is and how business can utilise
this in the best possible way?"
Yet another "big subject" in GDPR is the matter of
consent. To process personal data a Data Controller needs to
establish what "Lawful Process" they will apply to each data
processing stream. There are six types presented in Article 6
(https://gdpr-info.eu/art-6-gdpr/) of the GDPR of which three
are most likely (but not always) to be appropriate; Performance of
a contract, Legitimate Interest and Consent.
It was an extremely engaging breakfast with everyone
taking a number of action points away for further discussion back
at their respective bases.
Other key points which were discussed and taken away from
the session were:
Making sure that organisations had a path and were on the
way to being compliant by 25th May even if they
might not be able to action everything by the deadline.
- Training - Making GDPR "fun" as well as educational by
including "gamified" surveys for example to test employees
knowledge and better improve their ways of working when using data
on a daily basis.
- Using posters and other visual aids that can be incorporated
into general day to day working to engender a culture of data
responsibility and awareness.
In conclusion, GDPR is complex but it does not need to be
complicated. Take it step by step and make sure you justify and
document every process. Look at it from the eyes of the Data
Subject, remember you are one yourself. GDPR does not say you can't
process personal data if your Data Processing is justified!
"The event was really informative and valuable for
both Allie and myself. Being a start up and also one that's new to
the London market it was great to hear from a GDPR expert about
what we'll need to do and processes we'll need to put in place to
ensure we are ready and compliant come the 25th or May. It was also
great to hear from other businesses in creative industries as to
their ideas about GDPR and what they have done and will do to get
themselves ready." Nick O Sullivan (Talent Manager)-
"I really found the event informative, and of all the GDPR
talks we've been to so far, this has been the best! The GDPR
practitioner had such an un-intimidating approach and spoke to us
in a language we could understand which has been something we've
been struggling with. As awful as GDPR is he really helped with our
understanding. And it was a lovely group too - very open and
honest." Lisa Dyson (HR Advisor) - BBH
"Congrats on the roundtable, it was definitely one of the
best one of these types of events I've attended. Great venue,
really knowledgeable host who was able to make what is quite
complex and somewhat unknown subject matter really digestible, and
a nice group of attendees!" Brad Richards (Head of
Talent Acquisition) - Badoo
"A great introduction to GDPR which made it a lot easier to
understand, and was very informative. There were clearly
highly levels of engagement demonstrated by attendees as it
generated a lot of discussion.
We were able to not only learn practical tips from the
practitioner, but also from each other and it has really helped
outline new processes we will need to implement going
forward. Overall I came away feeling a lot more
positive about GDPR." Rosanna Redshaw (HR Manager) -
James Grant Group
"I really enjoyed the opportunity to speak to peers in an
informal setting both about GDPR and general topics in HR. It is
often not easy to get the opportunity to meet senior HR people and
share ideas and challenges in an open and honest way and I thought
the event was pitched perfectly to facilitate that. GDPR is a huge
challenge for all of us and it is nice to know that we are all
experiencing the same issues in the practical application. I
thought the speaker was very practical and provided great advice on
how to navigate our way through the ambiguity of the
legislation." Jennifer Buckley (Chief HR Officer) -