GDPR reminder: Personnel data are personal data too

Tiina Tamsar Winters, Business Analyst at Nortal, February 15, 2018

As you prepare for the May 25 GDPR deadline, keep in mind that the most sensitive personal data your company holds might be about the people sitting right next to you.

When it comes to General Data Protection Regulation (GDPR) compliance, business leaders have focused a great deal of attention on marketing data and customer data, and how the changes will impact their business processes. One key point that often gets left out of the discussion, even to a dangerous extent, is how GDPR affects Human Resources.

No matter how large or small your company, if it employs EU residents or citizens, GDPR comes into play. You will have to plan for properly handling HR-related data, starting from collecting and storing CVs of prospective employees, up to work schedules, payroll calculations and performance reviews.

Who has permission to see the list of candidates for a position? Is it strictly on a need-to-know basis, as this is potentially a very sensitive issue for the candidate? How are performance reviews handled and bonuses calculated? Are those records on someone’s laptop?

Imbalance of power and other pitfalls

HR managers will have to tread much more carefully after May 25. Personnel data is, by nature, personal data and will likely be even more sensitive than the customer data companies typically collect. In addition, there are specific aspects of the employer-employee relationship that complicate GDPR compliance.

One is the ‘imbalance of power’ inherent in the relationship. An employee might give consent to have his or her name and photo listed on the company website, but that consent would not be considered legally valid. In theory, all such permissions would have to be agreed during employment contract negotiations, when the relationship is still equal.

Personnel data is personal data and will likely be even more sensitive than the customer data #GDPR

Likewise, collecting CVs from job candidates must be done under clear conditions of consent, specifying how long the CVs can be kept and who will be able to access them.

New times, new policies

These are just two small examples of the many complex GDPR-related issues that HR departments now face. The underlying solution is the same being used for marketing and customer data, namely, implementing new processes.

The manager responsible for HR should coordinate with a lawyer and/or Data Protection Officer to decide a set of company policies that comply with GDPR and other relevant data laws. Just as importantly, there must be checks in place to verify that the policies are being followed.

It is also advisable to perform a housecleaning of the company’s IT systems, using a tool such as DeepScan. This will help ensure that all legacy personnel data can be protected or deleted.



Nortal's award-winning data discovery product now has a new name. Say hello to DataRadar. Formerly known as DeepScan, DataRadar is a powerful tool for companies working to beef up their privacy protection systems. You can read more about the tool and how it can help...
Tiina Tamsar Winters

Tiina Tamsar Winters

Tiina Tamsar Winters, Business Analyst at Nortal, acts as a liaison between business and IT. She understands the client’s current situation quickly, and analyzes, systematizes, prioritizes, and documents business needs and requirements from all interested parties. There is no doubt she’s good at determining the solutions...

Related content