Staying GDPR Compliant – How a HR software helps businesses cope with GDPR

Staying GDPR compliant

How HR software helps businesses cope with GDPR



The way we manage data has changed beyond all recognition in the last few years. Filing cabinets are fast becoming a 21st Century dinosaur, no one uses rolodexes anymore and the vast majority of businesses are switching to computer, online and cloud-based services. But the laws governing how that data is managed haven’t kept pace with this change. Until now.

You may have heard of GDPR, you may even have pencilled it in your diary but do you know what it really means for your business? Or what you need to do? Data protection rules are changing and even if you’re a small business you need to be prepared for them and make sure you’re compliant. Good HR software is a valuable tool to help make sure you’re prepared and compliant with the new regulations.

What is GDPR?

The mere mention of GDPR (or the General Data Protection Regulation to give it its full name) can strike fear into the hearts of many small business owners and managers. But GDPR, which comes into force on May 25, 2018, isn’t complicated.

GDPR is a regulation which is being introduced by the European Union to strengthen the laws surrounding data protection and storage. The UK government has already decided to adopt the legislation regardless of Brexit.

Data storage and management have changed dramatically since the last data protection laws came into force in 1998. Back then, the internet was in its infancy, cloud-based services didn’t exist, and much employee data was stored in manila folders in grey filing cabinets. GDPR will bring the law up to date and more in alignment with current technological changes.

GDPR will introduce much tougher fines (up to €20 million or 4% of annual turnover) in the event of a serious data breach or non-compliance. It will also give people a much greater say over what data is stored on them and how organisations use it. It also harmonises data protection throughout EU member states and applies not just to EU companies but to any company doing business in the EU, even if they’re based outside the EU.


Who is responsible?

If your business collects and stores data on computers or in organised filing systems, then you’ll be subject to data protection laws – this includes employee personal data. Whether you still rely on a paper system or have moved to an online HR software you have a responsibility to manage that data properly. It includes not just data collected on customers but any data you hold on your employees as well.

The onus of responsibility is put directly on data controllers (employers) and processors (HR managers) to identify any potential compliance issues within their business and to review how personal data is being stored.

Here are some questions to ask yourself to make sure you’re ready for GDPR and to demonstrate how HR software can help

Is the data you’re responsible for actually secure?

Under GDPR, any data breach has to be reported to the Data Protection Act within 72 hours. This highlights the real issue of having all of your employee data within a spreadsheet or a filing cabinet.

There is no real way of knowing whether there has been a data breach. A filing cabinet has unlimited access to anyone who walks into that room and any data within a spreadsheet is not encrypted. It’s also impossible to know who has made copies of that spreadsheet and where they are now.

Before May, you must conduct an audit on your data storage systems and how this data is shared. For example, holding a photocopy of someone’s passport within in a filing cabinet or just saving a scanned copy onto a hard drive would raise some concerns. Using secure HR software means you can take back control of the data you hold.

With breathe you’ll have the peace of mind that all of your documents are stored securely, hosted within the world’s most popular data hosting company, AWS-EU.

Anything you upload to breathe can also be shared securely since everyone has an individual, password protected, login to breathe and will have been set different user permissions.

Documents can be shared with specific permission levels and individuals securely, so you always know who does and doesn’t have access to certain documents.

How quickly can you access personal data?

It’s always been the case that employees are able to find out what HR-related personal data is being held. However, from the 25th May, you must now provide them with this information for free upon request. It’s imperative now, more than ever, that you have a system in place that allows you to quickly provide this information.

Ask yourself the question, “how long would it take me to retrieve all the data I hold on one of my employees?”. After GDPR comes into play you will have to answer this question ‘without delay and at the latest within one month of receipt’. Removing the cost barrier so that you have to provide this information free of charge will also likely cause an increase in requests.

Having a centralized, secure and cloud-based HR system in place removes the uncertainty of whether you would be able to accurately find all the data you hold on your colleagues.

Moreover, you can pull up this data in an instant without rooting through filing cabinets and spreadsheets saving you valuable time and money.

Viewing reports online, or exporting them as understandable documents means you always have access to the exact data you need for that moment. Since everything is there you know you’re not going to be missing anything which got hidden in a filing cabinet somewhere.

Is the data you hold accurate and up to date?

To remain compliant, you will need to ensure that any personal data stored is accurate and up to date. Any requests to update data must be dealt with quickly, again without delay and at least within one month.

It is also your responsibility as the data controller to make sure that the information you hold is regularly reviewed and any inaccurate records are corrected promptly.

Self-service HR software, like breathe, makes keeping records up to date incredibly easy, by providing your employees with a way to always know what data you hold on them and the ability keep it updated. House moves, or mobile number changes no longer need emails or scraps of paper but can be done quickly and simply by the employee.

Employees can upload all the information your company needs right from the word go. Gathering employee data is quick, easy and data is stored securely. Approval workflows and privacy settings mean you always have control over what gets updated and who can see what.


Can you remove all personal data that is no longer required?

Keeping data accurate also includes removing any data which is no longer required. Having the ‘right to be forgotten’ is now a common and accepted practice which GDPR will bring into law.

Therefore, do you have processes in place to make sure any records you no longer need are securely disposed of? This is tricky to be certain of when there is no centralised database of personal information.

Any information stored in breathe can easily be found and easily deleted. We do not hold onto the data and once it’s gone and there is no way for it to be recovered.

Only with a strong HR system in place can you be sure that you comply with an individual’s right to be completely forgotten.

Can you prove consent to use the data you hold?

The GDPR sets a high standard for consent, it’s important to be transparent about the data you hold and how you’re using it.

Employee data can be retained and processed on the basis that it is necessary under their employee contract, for example holding someone’s National Insurance number or right to work in the UK documents. However, GDPR strengthens the conditions for consent, meaning permission that was obtained as part of the terms and conditions of older employment contracts may no longer be enough.

Explicit consent may need to be given by employees for the retention and processing of sensitive personal data so it’s important to assess this before May 2018 and make sure you can prove you have gained sufficient consent. The GDPR also means that your employees have the right to withdraw consent at any time.

Transparency of data is achieved through employee self-service. Since everyone has access to view and even edit the personal data which is being stored on them there are never any surprises. This would simply not be possible if having to liaise with various spreadsheets or paper-based records.

Furthermore, having this data to hand and visible to each employee means you can run updated consent requests which comply with GDPR. HR software also provides you with centralised document storage meaning it is simple to search through contracts and declarations of consent making sure that everything is up to date and complies with GDPR standards.

About breathe

Our cloud-based HR software is specifically for small and medium-sized businesses. The software puts your business in control of all HR functions, processes, and employee data. It lets you manage employee data, payroll, expenses, benefits, recruitment, onboarding, training, absence, workloads, performance and more.


breathe offers a flexible, secure and reliable way to manage, advocate for, and communicate with your people. It’s the perfect solution for keeping on top of the day-to-day, and for maximising employee engagement. Our user-friendly visibility dashboards, comprehensive analytics, and extensive reporting facilities make sure your business is operationally efficient.

Request a Demo

Simply call us on 020 7616 6060 and ask for Bal Dhesi. Alternatively feel free to drop Bal an email at [email protected]


Article provided by breatheHR