HR and the GDPR: how do employers carry out a DP audit?

HR and the GDPR: how do employers carry out a DP audit?


Author: Gwynneth Tan

Applies to: Worldwide

The General Data Protection Regulation (GDPR) is coming and soon and will bring a significant amount of upheaval for the HR team. Carrying out a data protection audit is likely to be the first step in understanding the scale of the changes required.

As covered in our previous articles in this series on HR and the GDPR Employers, are you ready for the new EU data protection regime? and HR and the GDPR Where do we start?, employers need to be prepared for significant changes to data protection requirements from May 2018.

In order to be ready, employers - who will inevitably be collecting and processing data about their employees, making them data controllers - need to understand their current level of data protection compliance and what happens to the data within their business.

The starting point will likely be a data protection audit to help identify where there are compliance issues both under the Data Protection Act 1998, for compliance now, and under the forthcoming GDPR and what steps are needed to address any non-compliance.

For employers without a dedicated data protection or compliance function a data protection audit can seem like an overwhelming challenge. But, it doesn't have to be. Our top tips are as follows:

1. What does a data protection audit look like?

An audit can take many forms from a 'desk top' paper based review of current policies, procedures and contracts to a full review of how an organisation as a whole processes personal data, following the complex flow of data throughout its life from inception through to destruction. The scope of the audit is likely to depend on an employer's size and resources and current level of compliance.

2. How do we go about planning a data protection audit?

A full audit should give an employer full visibility of data protection compliance across its entire organisation and result in clear action points to enable it to address any non-compliant areas ahead of May 2018.

A full audit will involve putting together a project team made up of key stakeholders, including members of the Board, compliance, legal, IT, security and HR who will manage the audit and agree what information needs to be obtained from each department through surveys or questionnaires.

Buy in from stakeholders is key so there can be a co-ordinated approach and suitable time and resources allocated to the audit.

The information will then need to be reviewed and verified with relevant departments before it is analysed and a full report produced; providing the employer's action plan.

3. We don't have a compliance or in-house legal team, what do we do?

If you are a smaller employer with limited support departments, data protection usually falls to the HR function. In many cases, starting with auditing HR can be a useful approach as it is often the department which processes and stores the most personal and sensitive personal data (such as disciplinaries, grievances and sickness records) and therefore for many employers carries the most risk. Some employers chose to start the audit process with the HR department and then replicate the process across other departments.

Ideally, someone with data protection experience and knowledge of the changes coming under the GDPR should be involved from an early stage or a reliable external provider engaged.

4. What information do we need to ask for from our business?

The audit report will only be as good as the information that goes into it. Employers need to ensure that the right information is obtained at the outset by asking the right questions of departments. Consistency is also key, so a clear picture of how data is processed across each department can be drawn and 'gaps' easily identified.

The meaning of 'data' is incredibly broad and will include: written documents, computer based files and images.

An audit will not only need to look at what data is processed but also how it is processed and so, an understanding of software systems such as HR databases, recruitment portals and CCTV will also be needed.

5. How long will it take?

Even a desk top audit of a small company with CCTV, employees, customer data base and third party payroll provider will take reasonable amount of time to do effectively. Timescales should not be underestimated. With just over a year to go, starting sooner rather than later is advisable.

Inevitably, further questions will need to be asked of departments as well as any third party suppliers and processors to ensure the auditor or project team has a full understanding of the processing undertaken. It is important that an audit is thorough and not rushed, as no employer will want to duplicate the process before May 2018.

Employers with an international presence, international servers or who have a number of subsidiaries or brands will need more time to plan a co-ordinated approach.

Don't forget that once the audit is complete enough time needs to be left to rectify any areas of non-compliance, prepare new GDPR compliant policies and procedures and to train employees accordingly.

Shoosmiths can assist with tailored data protection audits and help you ensure that your business is GDPR ready.

Should you have any concerns about your organisations' level of data protection compliance, please do not hesitate to contact us.


This document is for informational purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given.