< Back

Share |

Compliance implications for HR

March 2013

Compliance and responsibility

As data controllers, employers (and by extension their HR teams) will need to be aware of, and ready for, the following compliance obligations and responsibilities under the draft EC data protection Regulation (Regulation).

Compliance and verification

At the outset, the data controller must ensure policies are in place to comply with the Regulation. Coupled with this is the obligation to implement mechanisms to ensure verification of compliance. This flows from the Regulation's emphasis on "compliance over outcome" and is certainly one of the key areas where HR teams will need to be familiar with the relevant obligations.

testThe Regulation lists five particular measures to be adopted:

  • keeping specific documentation;
  • implementing specific data security requirements;
  • performing data protection impact assessments;
  • complying with the prior authorisation regime; and
  • designating a data protection officer.

HR teams will need to be aware that the obligation is on the controller to:-

  • implement appropriate mechanisms: and
  • verify that these measures are in place and being followed.

If proportionate, this can be carried out by independent internal or external auditors. However, the use of auditors may be beyond many companies' means and businesses may wish to keep this critical function in-house. As such, it could be that HR teams will have responsibility for compliance and verification.


Each controller and processor will need to maintain documentation relating to all the processing operations under its control, containing information such as, for example, the name and contact details of the controller and a general indication of time limits for erasure of the data.

Again, this obligation is focused on compliance and may impact smaller companies significantly given the amount of information and time needed for collation.

Perhaps with this in mind, the Regulation states that this obligation shall not apply to:

  • controllers or processors who are natural persons processing personal data without commercial interest; or
  • where there are fewer than 250 people employed with processing of personal data only an ancillary activity.

highlightThe Commission may provide for standard forms to document the processing obligations which may assist companies and their HR teams in limiting the time and information required.

To prepare for the Regulation, privacy policies should be considered and, if necessary, simplified and made more transparent.

Data Protection Officer

One of the key implications of the Regulation from an HR perspective is the new requirement for a Data Protection Officer (DPO) to be designated where processing is carried out by:

  • a public authority/body;
  • an enterprise which employs 250 people or more; or
  • if the core activity of the controller or processor is a data processing operation.

For group companies or undertakings (which employ 250 people or more) a single DPO can be designated for the group. For public bodies, a DPO may act for several entities.  This will be extremely helpful for large employers with centralised HR teams.

The DPO is to be designated on the basis of his/her professional qualities and must have expert knowledge of data law and practice. The criteria against which this can be consistently assessed across the EU remains to be seen as whilst the UK has an examined qualification other Member States may not. Also, there is the wider question of how the balance between academic qualifications, on the one hand, and relevant assessing experience, on the other, will be measured.

letter DPO, should be involved in a timely manner in all issues in relation to the protection of personal data must ensure they perform their duties and tasks independently. This means they are not to receive instructions from elsewhere within the organisation in relation to data protection matters and are to report directly to the management of the processor or controller who must support their task.

The task includes:

  • ensuring the appropriate documentation is maintained;
  • monitoring notification of personal data breaches;
  • performing data protection impact assessments; and
  • being a contact for supervisory bodies.

One of the key aspects of the role is that DPOs, are to be designated for at least a two year period and may only be dismissed if they no longer meet the conditions for the duty. If the DPO is an employee he or she need to be appointed for at least two years risking a breach of the Regulation if the DPO leaves.  This may create some significant practical issues from a HR perspective.


The notion of control relates to:

  • data protection impact assessments; and
  • data protection by design or by default.

A data protection impact assessment is to be carried out by the controller or processor where there are specific risks to the rights and freedoms of data subjects, for example, due to the scope of data being collected. The purpose is to assess the impact of the processing. Examples of specific risks include processing of healthcare information which will be particularly relevant for HR purposes.

The assessment is to contain at least a general description of the planned processing to assess the risks and how they can be addressed. HR teams will, no doubt, be integral to this process.

keyThe Regulation acknowledges that specific measures may need to be tailored for SMEs (if appropriate) and that assessments be provided to supervisory authorities on request which may assist smaller companies.

Privacy by design falls under the requirement for organisations to introduce and implement means to ensure the processing complies with the Regulation and protects the individual. This can be achieved early by designing a system which is robust and tied into the business.

HR can play a key role either in assisting with the assessments or in identifying the sorts of data collected and the means to limit the data to be processed.


Under the Regulation, breach notification will be standardised. There will be an obligation on data controllers to notify the supervisory authority of any personal data breach. This is to be without undue delay and no later than 24 hours after becoming aware of it unless a delay can be reasonably justified. The processor is to alert and inform the controller immediately on establishing the breach though what "immediately" means in this context is unclear.

The notification should include descriptions of the nature of the breach and state from whom further information can be obtained.

In general, once the relevant supervisory authority has been notified, the data subject involved should be informed of the breach without undue delay except where the supervisory authority is satisfied that measures were applied to avoid a breach and to make the data unintelligible.

It will be critical to involve HR in the drafting and implementation of policies governing breach notification and communication to data subjects.

Subject access

Under the Regulation there will no longer be a fee for data subject access requests. There will be a timeframe of one month to respond. Also, the response is to be in writing or sent electronically depending on the method by which the request is made, which adds to the complexity.

netAt the early stage, data subject access requests are relatively simple in terms of having to identify key words, such as names, to be searched against. However, as they become more complex requiring assessment of documents, this can generally only be done by a person.

For larger companies it may be possible to have a data subject access team responsible for such requests. However, in general, HR can assist in a number of ways including implementing policies in terms of how data is to be saved and devising searches for relevant documents to speed up the process.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.