GDPR: Proper handling of employee data

How to handle employee data


Imagine that you have just had an EDP interview with your employee "on paper". You may have talked about a questionnaire that you printed, and which was filled in by your employee. You now hand to write the minutes by hand or on the computer. Once the minutes are done, you place them, together with the questionnaire, in a binder titled EDP 2019.

And then you place the binder in a cabinet behind your desk.

Perhaps you don't even have time to put away the questionnaire before rushing on to the next meeting.

If other people – colleagues, business partners, cleaning staff – have access to your office, there is nothing to prevent them from looking at the questionnaires. No matter if they lie directly on the desk or a stored in a binder in the cabinet.

If you store the documents in a folder on your computer, you should also consider who can access them. Do you share a drive with your co-workers, or do you have any other means of looking in your folders?

These are things to consider when storing data about your employees. You have to do this because GDPR legislation has been tightened.


Tightened GDPR legislation

GDPR stands for General Data Protection Regulation, and it is a piece of legislation introduced by the EU. In Denmark, it also goes under the names "Databeskyttelsesforordningen" and "Persondataforordningen", and it became particularly relevant on May 25, 2018, as all companies had to comply with the legislation from that date on.

GDPR is primarily about securing the personal data of one's clients and employees. You might even say that it is their legislation, and it is your job to secure their data in practice.

Here's a 10-point checklist you need to go through in relation to GDPR legislation.


1) Map your information assets

Map all the information assets of the company, such as IT systems, personal data folders, PCs, mobile phones and anything else in which personal data may be stored and processed.


2) Make agreements with data processors

Make sure you have data processor agreements with all your data processors.

3) The legally required record of your company's processing activities

Start by describing all the cases in which personal data is processed.

For HR, this could be:

  • Payroll processing
  • Employee Development Planning (EDP)
  • Workplace Assessment (WPA)
  • Recruitment
  • Hirings
  • Dismissals etc.

For all situations where the company processes personal data, you must be able to map the processes. And based on this mapping, you should assess whether you need to change some processes in your business as to protect the personal data the best.


4) Perform a risk assessment

Perform a risk assessment of your processing of personal data.


5) Comply with the requirements for privacy by default and privacy by design

Make sure your business complies with the privacy by default requirement in its company systems and processes. Whenever possible, you should also comply with the privacy by design requirement.

Privacy-by design: Ensures that data protection is incorporated as an integral part of the company's business processes, value chain and product lifecycle. Right from the production phase to when the product arrives at the end-user.

Privacy-by-default: Ensures that products are configured from the start to ensure the highest level of personal data protection. At the same time, it is necessary to ensure that personal information about a user is stored only for as long as it is necessary in order to provide a product or service.

The purpose is to reduce the amount of data and that consumers are basically entitled to decide how much of their data should be shared and visible.


6) Make sure your employees process personal data correctly

Create guidelines for your employees' processing of personal data and make sure your employees follow these guidelines.


7) Review information security in your company

Review the information security of your company and make any changes necessary.


8) Keep track of physical security

Review the physical security of your company, such as: Lock the accessway to the server, clean up papers, and consider whether you should introduce relevant security measures into your company.


9) Communicate with your clients

Inform your clients about how you use their personal data.


10) Communicate with your employees

Inform your employees about how you use their personal data.



GDPR in is fully compliant with GDPR legislation. If you use our system, you can safely collect and store questionnaires and minutes from EDP interviews, sickness absence dialogues, etc.

As a new customer of you will receive a Data Processor Agreement, which you sign with an electronic signature before you can use the system. Therefore, everything concerning the Data Processor Agreement with will automatically be taken care of.

In addition, each year in May, a statement of assurance (ISAE 3000) will be prepared, which is available online to all customers.

Let us have a talk about your options

Let us call you. We will quickly find a solution that fits your organization!