Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.


Jo Stubbs, Head of Content at XpertHR Group

Jo Stubbs
Jo Stubbs

The EU General Data Protection Regulation (GDPR) comes into force on 25th May 2018. It replaces the Data Protection Act 1998 in the UK and marks the start of a radical new data protection landscape, with significant penalties for non-compliance.

In general, the impact on the UK’s financial sector will be significant given the huge number of records and data transactions they handle every year – but organisations also specifically need to consider how the GDPR will affect them from an HR perspective.

XpertHR research[i] carried out earlier this year suggests that the vast majority of HR professionals do not have a good understanding of the upcoming GDPR, with 51% of respondents describing their level of understanding as low, and 45% saying they had only “some” understanding. Just 4% of respondents said they had a good understanding of GDPR requirements.

With six months to go, it is imperative organisations understand the implications of GDPR from an employment perspective or they risk heavy fines, as well as potential reputational damage for failing to comply. Fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is greater, could be levied.

Ensuring compliance will require substantial investment in terms of money, organisational resources and management time, so the sooner companies start preparing the better.

What are the implications of the GDPR for HR?

The GDPR will introduce a system of “data protection by design and default”, requiring organisations to take data protection risks into account throughout the design and operation of all policies, processes, products and services – including HR policies and procedures.

While employers currently typically rely on employee consent to process their data – often given via a broad clause in employment contracts – under the GDPR this will be much harder and they will generally have to find an alternative basis. In addition, employers will be required to keep extensive records, including the type of employee data they process and the reasons for processing it.

Employees’ right to receive a copy of all data held on them by their employer will also be strengthened, with fees for such data subject access requests removed and a shortened time frame for employers to provide the information.

How can companies get ready?

It is vital for employers to secure board and senior management level buy-in now to effect compliance across the organisation within the required time frame. They should identify key stakeholders and ensure that the organisation has an executive sponsor on board to support the project through to May 2018 and beyond.

Employers will need to allocate sufficient resources to ensuring compliance with the GDPR, considering the size of their organisation, the types and volumes of data it processes and the level of risk. There is no “one-size-fits-all” solution and the organisation’s structure and culture will play a large part in how it implements its compliance programme.

Cross-functional team work will be crucial and organisations will need their legal, HR, IT and compliance teams to take an integrated approach. They will need to bring together a team with the necessary skills and expertise to develop and implement a compliance programme, setting out the tasks, responsibilities and reporting lines of the individuals involved.

Once the team is in place, it will be important for it to work with each business area to identify the specific privacy risks to which the organisation is exposed, and how the organisation can mitigate or avoid them. The team should carry out an initial review of existing data processing practices against GDPR requirements and identify gaps between current practice and GDPR requirements and assess the level of privacy risk.

Once an organisation has conducted this initial audit and risk assessment, the next step is to develop and implement a GDPR compliance programme, prioritising compliance activity and remedial measures based on areas with the highest risk and most significant impact. The organisation may need to adjust its initial estimate of time frames once it has started its compliance efforts and has a better understanding of how the GDPR requirements relate to its data processing practices and IT systems.

The implementation of a structured programme will assist in mitigating the risk of a fine and reducing the severity of any infringements. Employers should aim to be compliant by 25th May 2018, but this may be challenging in practice, so they should focus on the most important and riskiest areas first.

XpertHR has produced a guide providing an overview of the GDPR changes relevant to HR and the strategic considerations for organisations developing a compliance programme. The guide can be accessed here.

[i] http://www.personneltoday.com/hr/gdpr-hr-well-understood-hr-professionals/