GDPR and the HR function

GDPR and the HR function

Julie Hodgskin from the Chartered Institute of Payroll Professionals (CIPP) discusses how the new General Data Protection Regulation (GDPR), which comes into force next May, will affect those working in the HR and payroll function in schools

A new Data Protection Bill was published September 2017 and is currently progressing through Parliament. It builds on the EU’s General Data Protection Regulation (GDPR) and the current Data Protection Act (DPA) 1998 by making mandatory the ‘best practise’ processes and procedures in use, while at the same time expanding the areas of compliance. The scope of the Bill is unaffected by the UK exiting the EU and will affect both EU organisations operating outside the EU as well as organisations outside the EU operating within it.

The amount of penalties imposed for data breaches (the loss, destruction, alteration, unauthorised disclosure of, or access to, personal data) is more stringent under the GDPR, and can be as high as £17m, or four per cent of global turnover. The implementation date is 25 May 2018 and every organisation must be compliant by then.


Below are some of the GDPR enhancements most likely to affect an educational establishment.

Under the current DPA the Data Controller determines the purpose and manner in which data is processed. With the implementation of the GDPR there is now a further requirement that the Data Controller liaises with any third party organisations, ensuring the integrity of their data security and that the contracts with the processors comply with the GDPR. There could be financial penalties if this is not done.

Under the current DPA the Data Processor is the member of staff, or the employee of a payroll bureau, who is involved in the processing of personal data. With the implementation of the GDPR there is also the requirement that the Data Processor maintain the accuracy of personal data and of the processing activities. Again, there could be financial penalties if this is not done.


There will be greater protection of an individual’s information. This not only covers the personal information held under the current DPA, but will include other data as identified under the GDPR ‘special category’ definition.

The special categories data covers racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data; data concerning health or sex life; sexual orientation.

To ensure the security of the data it must first be located, then identified, categorised and finally protected. The most effective way of doing this is to perform an information audit.


Another area of change is that there is now a responsibility for third party compliance. Many educational establishments outsource the processing of staff pay, and it is the responsibility of the Data Controller to ensure that third party compliance is in place and maintained. To start the process it may be useful to ask the following questions: What security procedures are in place? Are they secure enough to meet the new requirements? Are the current privacy policies and practices adequate? Do they need to be strengthened? What technological safeguards are in place? Is software regularly updated? What evidence can be offered to show compliance, or evidence of actions towards compliance to the new DPA by 25 May 2018? Does their insurance cover include customer liability?


Some of the rights under the GDPR are the same as the current DPA, some are enhanced and some are new.

The individual has right of access to their personal data. At present an organisation is allowed to take up to forty days to process a request and charge a levy of £10. Under the new regime any requests must be dealt with within one month of receipt and be free of charge.

The individual has the right to rectification. Any information proven to be inaccurate or incomplete by the individual must be corrected within one month. If it is decided that no action is needed then this must be explained to the individual and information on their right to complain, and to who, should be included.

The individual has the right to erasure. This is also known as the right to be forgotten, and this right has been enhanced to include the request to delete or remove all personal data where there is no reason to hold it.

The individual also has the right to restrict processing. An individual can request the restriction of data and this must be complied with if the data is in dispute; processing it would be unlawful; or the personal data is needed by the individual to establish, exercise or defend a legal claim.

Where information has been disclosed to third parties then the third party must be informed of the restriction and reasonable steps must be taken to ensure that they comply. If the data restriction is lifted then the individual must be informed.

The individual also has the right to data portability where they can move and transfer their personal data in a way that is easy and safe.

The individual also has the right to object to the processing of their personal data, as well as rights in relation to automated decision making.

The individual has the right to object to an automated decision where that decision has a legal or significant effect on the individual (an example would be where educational qualifications are required for a teaching position).


HR/Payroll is legally obliged to hold data for a minimum of three years after the end of the tax year. For many educational establishments that is a lot of data and storage can be a problem, whether stored manually or electronically.

One solution often used is that of a third party data storage supplier. If this is used, then a check of their compliance will need to be made.

The most publicised data breaches are by hackers who break into an organisation’s electronic systems. However, data breach also covers unauthorised disclosure and unauthorised access to personal data. This means for example, that any emails sent containing personal data may, if sent without the individual’s consent, be a data breach. And any emails sent in error would definitely be a data breach. Organisations should therefore look to alternative ways of transferring personal data.

Staff are only human and mistakes will happen, so to keep personal data secure one solution is to use ‘pseudonymisation’, that is the de-identifying or anonymising of data by removing the link between the data and the individual concerned.

This will eliminate the risk of discovery of the individual by a hacker or an accidental disclosure. However, it will only work if the code to the pseudonymisation is kept on a separate system to that of the data.

Finally There is a lot to do between now and 25 May 2018 and a lot of processes to go through before achieving compliance. The following is a suggestion of where to start.

Appoint a Steering committee to oversee the whole process and allocate significant jobs and tasks.

Perform an audit, documenting current procedures and enhancing them to meet the new regulation

Train staff in the new procedures and effect a cultural change that will confirm the protection of an individual’s personal data.

If action is taken now, it will still be possible to meet the deadline, but time is tight. Compliance is not optional, and neither are the penalties, so act now.

Further Information: