Ian Hodson, head of reward at the University of Lincoln, is acutely aware of the amount of work that will be needed in order to comply with the General Data Protection Regulation (GDPR). “We are at the stage of coming up with an action plan and a workplan of trying to break down what are really sizeable bits of work," he says. "We are looking at who we send HR data to, both in terms of internal partners like the university library or university sports centre, as well as our external partners, which might be benefits, pensions or recruitment providers.
“It is easy to get complacent, to have common interfaces and hand over information just because it’s what happens. We don’t always remember why things are set up in a certain way. So it is encouraging us to really revisit all our processes and ask why are we sending over this field? Do they actually need it for what they are doing?”
Like most employers, the university already has data sharing agreements in place. The work will be in revisiting each agreement and bringing these up to date, while filling in any gaps, says Hodson.
“One of the big changes in the law is we are still accountable for other people’s actions," he explains. "We can’t just dismiss it as, ‘that’s not our problem because it’s the third party’s’.”
Structurally, the GDPR will also mean changes. The university has a staff member who will become the compliance officer. There is also a large internal working group looking at the many ways in which the GDPR will affect the university.
Hodson and his team will also seek legal support to help them with specific challenges. “One of the big things we will look at in HR is changing employee contracts and what goes in those. We will use our employment legal support for that. At the same time, we have to look at our procurement areas and our service level agreements with third-party benefits providers where we will be using relevant legal support on that side.”