I read an interesting article in HR Grapevine Magazine last October, shortly after attending the People Analytics Forum 2017 to talk about GDPR and ethics, and it struck a chord with me.  Actually, it rang a bell in my head loud and clear.

Now almost a year later, as a joint venture with the clever people at myHRfuture and Insight222 is soon to come to fruition, I find that much of what I thought and felt a year ago is still true today – and all the more urgent, given that we are now 4 months post-GDPR enforcement.

GDPR and the HR Dept

Both are very close to my heart.  Partly because I am a long-term practitioner in both fields, and partly because I believe they are intricately intertwined, besties in the world of ‘treating people’s personal information right’.

But also because, if my long career in HR has taught me nothing else, it is that there is a very high likelihood that GDPR compliance will somehow wash up at HR’s door when IT or Legal are finished with it.

HR and L&D teams are quite likely to be handed the hat to make sure “everyone knows what to do for GDPR”.   The expectation will be HR ensures everyone is compliant with the law will be HR’s job, the same way HR bear responsibility for instilling health and safety practicalities in us and ensure we know what sexual harrassment looks like, or how to avoid bribery and corruption at work.

Those of you who are fellow HR practitioners are no doubt nodding your heads wryly as you read this.

Forewarned is forearmed

As they say, forewarned is forearmed.  GDPR will impact all businesses, and all departments, except for those that genuinely have absolutely zero contact with any kind of personally identifying data.

To date, I am struggling to think of where that may be, or how that may occur, other than an automated factory – I am sure there are some isolated areas of work yet to occur to me where this applies.

Returning to my point – this new legislation will impact all areas in all businesses, from sole traders up to the biggest corporates.  It will set a new bar for global data sharing.  It will force businesses (in many cases unwillingly) to think a lot harder about what personal data they process, and share, and why they do it.

It will generate new ways of working, new ways of engaging with customers, new jobs (according to the International Association of Privacy Professionals (IAPP) there will be anywhere between 28,000 and 75,000 new DPO roles needed).

HR Responsibility

It will undoubtedly mean new ways of working for HR too.

The advent of new monitoring and tracking technology in our daily lives has crept stealthily and easily into the employer-employee relationship too, and now HR will find that it is going to be held to account.

There will also be many new responsibilities for HR departments to design and deliver the required training and data protection awareness.  This will need to be delivered to anyone operating for, or on behalf of, an organisation that may come into contact with personal data during the course of the tasks they carry out for that business.

That means ensuring all full-time, part-time, contractors, mobile, lone and home workers.  It means all temps, graduates, freelancers, and interims. It also means interns, apprentices, work experience and volunteers will be included in the ‘workforce’.  Training and awareness delivery methods for such a wide range of existing ‘staff’ and new hires is going to be quite a challenge.

H&S Precedent

The GDPR is a big deal; it will need a similar approach to embedding and entrenching within all business practices as has been employed previously for embedding Health and Safety legislation and practice.

All businesses take Health & Safety seriously (and rightly so; the ones that don’t end up as cautionary tales), but this wasn’t always the case.  A decade ago the Health & Safety Executive published findings about the key reasons behind small and medium enterprises remaining consistently non-compliant with H&S legislation.  One quote from an even earlier study stood out:

“Small firms often appear to be unaware of their legal obligations, do not realise the dangers
of poor practice, do not think about the benefits of good health and safety practice and have
insufficient resource to devote to health and safety” (McKinney, 2002)”

This quote is really pertinent – substitute the words “health and safety” with “data privacy” or “information governance” and the issues are the same as the ones we face today for data protection.  Which means there is a long, slow road ahead to embed good data privacy practices into businesses.

Step Up

And this brings me back to my earlier point, about it being HR’s time to step up.

This may not be the news that HR wants to hear – believe me, I have daily conversations with business owners and managers about the inconvenience the GDPR poses to businesses in general, and their business in particular.  I can genuinely imagine some HR departments groaning at the impact GDPR is already, or soon will have, on them.

But, don’t be dismayed – I say “own it”!

The earlier that HR, as a function, can come to terms with the changes, start getting themselves in good order, and working with businesses to shape up for the future, the better.

Opportunity Knocks

And what an opportunity!  HR professionals are used to dealing with certain levels of business reluctance to adopt new practices.  HR professionals bend their efforts to working with managers on risk management, and helping leadership teams embrace change.

HR is a function typically accustomed to translating complex legislation into practical business operations.  As such, I believe HR is an ideal business partner for implementing GDPR compliance within businesses.  That, by the way, is my tagline, when I am challenged on why I do what I do, and I am proud of it.

This is a time when HR as a function can really add value to a business.  Even if the basic way to their employer’s heart is through the corporate bank balance, and they simply save them from a fine from the Information Commissioner’s Office.

How many similar chances to impact a business will come around in our current careers, that will enable HR as a function to step up in every organisation, every industry, and at the same time?

There is no reason why GDPR should be the remit of the IT department for cyber security, or sit within Legal for the drafting of data sharing agreements, or be the forte of Marketing for managing client database lists.  There is also no reason why HR should be last to the party on this.

The GDPR is the biggest change to business operations in a generation, so I say let’s be in the front seat.

The HR GDPR Movement

For those of you interested in learning more about how GDPR impacts HR as a function, Sphere Data Protection deliver a variety of training initiatives, aimed at people functions for businesses of every size and shape. We can deliver bespoke training to HR teams (see our new e-learning offering through the Academy) as well as designing and delivering wider company awareness across all divisions, from Customer Service to Finance.

If you are interested in learning more about this, or want to be among the first to know when my first sessions and tools will be launched, send me an email to or connect with me on LinkedIn or follow me @SphereDP or @SphereHR.

I’m looking forward to working with you all!

2018-09-21T18:20:13+00:00September 21st, 2018|Compliance, Data Protection, GDPR, Human Resources|