GDPR roundtable – developing best practice

12 March 2018

This article was featured in the April 2018 issue of the magazine.

The CIPP’s General Data Protection Regulation (GDPR) roundtable, which took place on 13 February 2018, was opened and chaired by Vickie Graham, associate director of marketing and business development at the CIPP. As well as the roundtable discussions, the event had guest speaker sessions provided by Claire Wright from CLF Consulting and Andy Collins from Omni Cyber Security.

With recent research from Deloitte suggesting that only fifteen per cent of organisations will be GDPR-ready by the implementation date of 25 May 2018, the roundtable set out to confirm some key points and dispel myths to help the payroll industry prepare.


Moving from Data Protection Act to GDPR

The biggest difference between the Data Protection Act and the GDPR is that the two of the ‘principles’ under the Act are promoted to Article status under GDPR. 

To help you prepare for GDPR you need to:

  •  understand where you are currently with the DPA and GDPR

  •  understand what you need to do to comply (e.g. analyse gaps)

  •  define what you need to do by business risk.

If you are complying with the DPA, then the implementation of GDPR should not be as cumbersome.


Data mapping

During the event, the importance of data mapping was covered; specifically:

  •  departmental interviews looking at data mapping across the entire business 

  •  spend a day in each department looking at all areas where data is captured, processed and stored

  •  review impact and risks identified through these activities

  •  mapping relationships where data is shared.


Data subject rights

The event talked about the rights of the data subject, namely:

  • The right to be informed – Everyone has the right to be informed of how their personal information will be used and shared. Also, changing the original purpose will also require informing them of the change in some circumstances.

  • The right to access – Everyone has the right to request access to all the information that you hold on them. Because of this, meeting the ‘data minimisation’ principle will help: only keep the information you require to carry out the processing the individual knows of, there is a lawful basis for and only for the period of time you require it for that purpose.    

  • The right to rectification – If you hold incorrect data on an individual, they have the right to have this rectified. For payroll and human resources, it would be beneficial to have a self-service portal for employees to manage domestic related data themselves.

  • The right to be forgotten – This is not an absolute right, and later in the event we discussed consent and other lawful bases by which you are entitled to process data on an individual. However, if you process data on an individual and it is no longer required, they have the right to ask you to remove them from your records. If there is no lawful basis for you to hold their data, you will need to remove them. 

  • Restriction – This is linked to the right to be forgotten. If someone asks to be removed, but there is a lawful basis by which you need to retain their data, you should restrict access within your organisation.

  • Portability – With the data subject’s consent, it should be simple to transfer data from one provider to another, following verification that the data subject is who they say they are. This applies to specific industries.

  • The right to object – Under the Data Protection Act, the right to object was purely for marketing purposes. Under the GDPR, however, this right is absolute and includes historical, statistical and scientific purposes as well as marketing.

  • Automated decisions – An individual has the right to object to their data being wholly processed by automated decision making. 

As an example, if an employee applies for a role which requires a clean driving licence but has three points on their licence due to come off in a month’s time, they would want the opportunity to confirm this via human interaction and not be removed from the recruitment process because an automated decision would remove them for having those points.


...only fifteen per cent of organisations will be GDPR-ready by the implementation date... 


Consent and other lawful bases

The roundtable covered the lawful bases for which data can be collected and held. Though there has been a lot of discussion regarding consent with regards to GDPR, there are six lawful bases for processing individual data.

  •  Legal obligation – You are required, by law, to process the data. 

  • Contractual obligation – You have an employment contract with an individual and have clearly outlined why the data is being processed; this is the most important basis for payroll and human resources. However, you need to consider what is required under the contract and what is required after an employee leaves your organisation’s employment.

  • Legitimate interest – There is a legitimate interest of the data subject to use the data held to inform them of something that will benefit them.

  • Vital interests – If it is in the vital interest of the data subject and others (e.g. their colleagues) to know the information. For example, if an employee has an allergy, they may not want others to know; however, it is in their vital interests that the company first aiders are aware so that if the employee has an allergic reaction they are able to administer the correct first aid response.

  • Public interest – There is a public interest for the data to be held and processed, for example members of parliament’s addresses are in the public domain.

  • Consent – The individual has provided explicit consent for their data to be processed as the lawful basis.  In a payroll and HR context, it is unlikely that consent would be the main basis by which you process their data. It could be, however, for secondary uses of their data. Consent can be withdrawn at any time by the data subject, making it the least reliable. 



The overall takeaway from the roundtable was that GDPR should be viewed as an opportunity to:

  • review business processes and operate more efficiently and effectively

  • reduce costs, including saving on storage for unnecessary retention of data

  • engage with other departments to gain a deeper understanding of the business and operate more efficiently

  • develop self-service platforms for individuals to take more ownership of their data accuracy. 

For more information on GDPR, the CIPP has a webcast available to members within My CIPP on the CIPP’s website; and there is a GDPR training course available face to face and online.