Why should HR care about data protection?

Why should HR care about data protection?

Article by Tsaaro

7 min read

Why should HR care about data protection?


In all honesty, data leaks happen now and again from inside an organisation. However, the circumstances and justifications for why shift workers leave an organisation with a pen drive brimming with personal information can be devastating for the business and individuals whose data they possess. The issues could be anything from cash to show in the working environment. Despite what’s happening, an HR office can help.

Not all inside data leaks happen out of an evil plan, however — some of it spins around infections or simply not being just about as cautious as a worker ought to. Obliviousness or impudence about such a fundamental possibility as information could annihilate a business, so information can likewise be an integral asset that HR can help settle. To get more inside and out regarding this point, the following are three justifications for why it might very well be savvy to get HR required from the beginning.

The office is brimming with individual information, regardless of representatives, their closest relative or up-and-comers reacting to work adverts.

With such a functioning job handling touchy data, HR staff should ensure they’re doing everything needed to secure representatives and meet their administrative prerequisites.

Here are a few reasons why HR must care about Data Protection:

1.Knowledge of legal processing of data

An organisation should consistently record the explanation for its handling of individual information. The GDPR traces six legal bases that will be fitting in various conditions:

  • Assent: the individual consents to the information handling.
  • An agreement with the person is to supply labour and products they have mentioned or satisfy a commitment under a worker contract.
  • Consistence with a legitimate commitment: handling information for a specific design is a lawful necessity.
  • Fundamental interests: for instance, handling information will ensure somebody’s actual honesty or life (either the information subject’s or another person’s).

A general errand: for instance, to finish official capacities or assignments in the public interest. This will commonly cover public specialists like government divisions, schools and other instructive establishments; clinics; and the police.

  • Real interests: A private-area organisation has a certified and real explanation (counting business benefit) to handle individual information without consent if it isn’t offset by adverse consequences to the singular’s privileges and opportunities.

Before the GDPR, consent was viewed as the least demanding method for handling individual information legitimately; however, the Regulation has hardened consent prerequisites and made it outlandish for associations to utilise and agree to gather representatives’ very own data.

That is because it expresses that consent can’t be openly given, assuming there’s an unevenness of force, which would be the situation between a representative and a boss.

HR offices should, in this way, look for a lawful option premise, the most suitable by and large being authoritative need, a legal commitment or genuine interests.

2.The rights of the data subjects

They might be associates, yet with regards to their information, you should regard everybody in your association as information subjects similarly as you would with clients or customers.

That implies making them mindful of their freedoms concerning how your association processes individual data. There are eight subject information privileges:

  • The option to be educated
  • The right of access
  • The right to correction
  • The right to the eradication
  • The opportunity to confine handling
  • The right to information convenience
  • The option to protest

Privileges identified with mechanised independent direction, including profiling

The right of access is by a long shot the most generally agreed upon, on the grounds that workers will quite often survey how an association processes their information before housing an objection.

Your information security strategy should express that workers are free to present a DSAR (Data subject access demand) and clarify how they can do this.

There shouldn’t be a conventional cycle; any composed or verbal DSAR will do, regardless of whether it’s just about as essential as a worker saying, ‘I might want to see what information you’re keeping on me’.

In that capacity, everybody in the HR office should be prepared to perceive when a solicitation has been made and the interaction they ought to follow to guarantee they get the imperative data and react inside the one-month cutoff time.

3.Data of Job Application 

HR offices get immense individual information at whatever point they post an employment opportunity. CVs or applications will contain names, addresses, email locations and business history.

Similarly, as with worker information, you should clarify your legal reason for handling and how candidates can practice their data subject privileges. You could put this on the application structure or connect it to your work posting.

Albeit the documentation cycle ought to be somewhat direct – it’s by, and large acknowledged that you want to give individual subtleties when applying to a task – you should focus on information maintenance.

The GDPR states that associations can just save individual information however long it’s vital because it was gathered. UK businesses are lawfully needed to clutch employment forms for a long time if an up-and-comer stops a separation case.

In any case, you should hold information for longer than this – for instance, assuming a candidate is fruitless on this event, however, may be appropriate for future jobs. This illustrates real interests, and your information maintenance strategy should express this to clutch applications.

5.Acceptable use 

There’s a decent possibility your association has an OK use strategy as of now. They clarify that representatives should invest their energy in the workplace, giving bosses reasonable grounds to teach or rebuff the people who don’t invest sufficient time going about their business.

Be that as it may, the individuals who disregard this arrangement are relaxing as well as conceivably risking the association’s security.

Large numbers of the offensive sites that associations boycott are prestigious wellsprings of malware and infections, which can injure networks or, on account of keyloggers, who syphon sensitive data.

Likewise, workers ought to be told not to download documents from dishonest locales or their email accounts. The association’s spam channels and hostile to malware innovation don’t stretch out to individual messages, so it just takes one representative clicking a phishing email to contaminate the entire association.

You should subsequently clarify that satisfactory use approaches are as much regarding information assurance as they are tied in with guaranteeing a helpful labour force.

5.Monitoring your employees 

Even though associations may be enticed to execute observing instruments to ensure workers follow adequate use arrangements, they ought to be exceptionally cautious concerning how they do this.

Bosses are qualified to watch out for what their staff do during the available time. However, both CCTV film and program chronicles are viewed as close to home information under the GDPR, so associations need a legal premise before handling it.

Likewise, they should be as intentional and as unpretentious as conceivable in their observation. By no means are businesses legitimised in utilising comprehensive or mechanised checking techniques (like spyware) to glance through a worker’s program history and work environment interchanges if they’ll track down proof of abuse.

Bosses ought to likewise abstain from strategies that leave no hint of their checking, like actually sitting at the worker’s PC and glancing through their private correspondences.


Data protection is not just a simple one-person job; it is a team effort and is everybody’s responsibility. It is futile if only the head of a team understands the legal requirements and other compliances while the rest is clueless. Anybody handling sensitive personal data must be adequately trained and capable, and responsible for managing the same. This especially applies to the ones who are in top managerial positions. 


1 thought on “Why should HR care about data protection?”

Leave a Reply

Your email address will not be published. Required fields are marked *

Shubham Bansal

INTRODUCTION:  The enactment of the Digital Personal Data Protection Act, 2023, marks a significant milestone in the realm of data …

Shubham Bansal

Introduction  The introduction of the DPDPA, 2023 has brought in the opportunity for various sectors including the pharma companies to …

Shubham Bansal

INTRODUCTION:  The enactment of data protection legislation across various jurisdictions have necessitated strict mandates to protect people’s personal information. India …

Shubham Bansal

Introduction  In today’s digital age, data protection and privacy are crucial for businesses, especially those operating online. As companies increasingly …

Shubham Bansal

INTRODUCTION Last year, India achieved a significant mark when the long-awaited data protection legislation known as the Digital Personal Data …


Would you like to read regular updates from Tsaaro.
Subscribe to our newsletter

Our Latest Blogs

Read what the latest hapennings in the cyber world are and learn what the
experts have to say about them