What HR departments need to know about the GDPR

I read an interesting article last October about the role of HR in preparing companies for the GDPR, and it struck a chord with me. Actually, it rang a bell in my head loud and clear.

Now almost a year later, as my new course on GDPR is about to go live on the myHRfuture Academy, I find that much of what I thought and felt a year ago about HR taking control is still true today – and all the more urgent, given that we are now four months post-GDPR enforcement.

GDPR and the HR department

Both are very close to my heart. Partly because I am a long-term practitioner in both fields, and partly because I believe they are intricately intertwined, besties in the world of ‘treating people’s personal information right’.

But also because, if my long career in HR has taught me nothing else, it is that there is a very high likelihood that GDPR compliance will somehow wash up at HR’s door when IT or Legal are finished with it.

HR and L&D teams are quite likely to be handed the hat to make sure “everyone knows what to do for GDPR”. The expectation that everyone is compliant with the law will be HR’s job, the same way HR bears responsibility for instilling health and safety practicalities in us and ensures we know what sexual harrassment looks like, or how to avoid bribery and corruption at work.

Forewarned is forearmed

As they say, forewarned is forearmed. GDPR will impact all businesses, and all departments, except for those that genuinely have absolutely zero contact with any kind of personally identifying data.

To date, I am struggling to think of where that may be, or how that might occur, other than an automated factory. I am sure there are some isolated areas of work yet to occur to me where this applies.

Returning to my point – this new legislation will impact all areas in all businesses, from sole traders up to the biggest corporates. It will set a new bar for global data sharing. It will force businesses (in many cases unwillingly) to think a lot harder about what personal data they process, and share, and why they do it.

It will generate new ways of working, new ways of engaging with customers, new jobs (according to the International Association of Privacy Professionals (IAPP) there will be anywhere between 28000 and 75000 new DPO roles needed).

HR responsibility

It will undoubtedly mean new ways of working for HR too.

The advent of new monitoring and tracking technology in our daily lives has crept stealthily and easily into the employer-employee relationship too, and now HR will find that it is going to be held to account.

There will also be many new responsibilities for HR departments to design and deliver the required training and data protection awareness. This will need to be delivered to anyone operating for, or on behalf of, an organisation that may come into contact with personal data during the course of the tasks they carry out for that business.

This includes all full-time, part-time, contractors, mobile, lone and home workers. It also means that all temps, graduates, freelancers, and interims as well as interns, apprentices, work experience staff and volunteers will be included in the ‘workforce’. Training and awareness delivery methods for such a wide range of existing ‘staff’ and new hires is going to be quite a challenge.

It’s time for HR to step up

The GDPR is a big deal; it will need a similar approach to embedding and entrenching within all business practices as has been employed previously for embedding Health and Safety legislation and practice. This means there is a long, slow road ahead to embed good data privacy practices into businesses and it is time for HR to step up.

This may not be the news that HR wants to hear – believe me, I have daily conversations with business owners and managers about the inconvenience the GDPR poses to businesses in general, and their business in particular. I can genuinely imagine some HR departments groaning at the impact GDPR is already, or soon will have, on them.

But, don’t be dismayed – I say “own it”!

The earlier that HR, as a function, can come to terms with the changes, start getting themselves in good order, and working with businesses to shape up for the future, the better.

Opportunity knocks

And what an opportunity! HR professionals are used to dealing with certain levels of business reluctance to adopt new practices. HR professionals bend their efforts to working with managers on risk management, and helping leadership teams embrace change.

HR is a function typically accustomed to translating complex legislation into practical business operations. As such, I believe HR is an ideal business partner for implementing GDPR compliance within businesses. That, by the way, is my tagline, when I am challenged on why I do what I do, and I am proud of it.

This is a time when HR as a function can really add value to a business. Even if the basic way to their employer’s heart is through the corporate bank balance, and they simply save them from a fine from the Information Commissioner’s Office.

How many similar chances to impact a business will come around in our current careers, that will enable HR as a function to step up in every organisation, every industry, and at the same time?

There is no reason why GDPR should be the remit of the IT department for cyber security, or sit within Legal for the drafting of data sharing agreements, or be the forte of Marketing for managing client database lists. There is also no reason why HR should be last to the party on this.

The GDPR is the biggest change to business operations in a generation, so I say let’s be in the front seat.

Get up to speed on the GDPR and its impact on HR

If you are looking to learn more about the GDPR and how HR should be responding to it then you should check out the myHRfuture academy online course on GDPR for HR that is launching soon. It's a great course for anyone in HR interested in learning more about how the HR profession prepares for the impact of the GDPR. Click on the image below to learn more.


Kim has a professional interim career consulting to a broad cross-sector of industries, including banking, logistics and supply chain, retail, tech start-ups, CROs, charities and manufacturing. Her experience in HR and data protection consultancy covers 20 years, and 3 continents, including several years in Australia covering the AsiaPac region. She specialises in translating complex legislation into practical operational context. Kim guides business owners towards understanding their legal obligations as employers and caretakers of personal data, ensuring companies and their employees thrive on essential compliance rather than being hindered by it. Her training and advice covers best practice, strategy planning, change management and practical implementation in all elements of people management and GDPR compliance. She is an accredited HR and GDPR practitioner.