Compliance February 15, 2026 · 9 min read

GDPR Compliance for HR Teams: A Practical Guide

HR teams process some of the most sensitive personal data in any organization. Here is a practical, jargon-free guide to getting GDPR right.

The General Data Protection Regulation has been in force since May 2018, yet many HR teams still struggle with its practical implications. This is not because the regulation is unreasonably complex, but because most guidance is written by lawyers for lawyers. HR professionals need actionable steps, not legal treatises.

This guide focuses on what HR teams actually need to do, day to day, to process employee data lawfully and responsibly under GDPR. It is not a substitute for legal advice, but it will give you a solid working understanding of your obligations and concrete steps to meet them.

GDPR Basics: What HR Teams Need to Know

GDPR applies to any organization that processes personal data of individuals in the European Economic Area (EEA), regardless of where the organization is based. For HR teams, this means that if you employ anyone in the EU, or if your company is based in the EU, GDPR governs how you handle their employment data.

The regulation is built on seven principles: lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. For HR teams, these principles translate into practical requirements at every stage of the employment lifecycle, from recruitment through offboarding and beyond.

Lawful Basis for Processing Employee Data

Every piece of employee data you process needs a lawful basis. This is one of the most misunderstood aspects of GDPR in the HR context. Many HR teams assume they need consent for everything. They do not, and in many cases, consent is actually the wrong basis to rely on.

There are six lawful bases under GDPR. For HR teams, the most relevant are:

  • Contractual necessity: You need to process data to fulfill the employment contract. This covers payroll, benefits administration, and most core HR functions. You cannot pay someone without processing their bank details, so this basis covers that processing without needing separate consent.
  • Legal obligation: You are required by law to process certain data. Tax withholding, right-to-work verification, health and safety records, and statutory reporting all fall under this basis.
  • Legitimate interest: You have a legitimate business reason to process the data, and this interest is not overridden by the employee's rights. Performance management, internal communications, and organizational planning typically rely on this basis.
  • Consent: The employee has freely given, specific, informed consent. In the employment context, consent is problematic because of the power imbalance between employer and employee. Regulators generally view employee consent as less freely given than consumer consent. Use consent only when none of the other bases apply, for example, for optional employee surveys or publishing employee photos on social media.
"The most common mistake HR teams make with GDPR is treating consent as the default basis for processing employee data. In most cases, contractual necessity or legal obligation is the correct basis, and these do not require the employee to opt in."

Data Minimization: Collect Only What You Need

Data minimization is the principle that you should only collect and retain personal data that is necessary for the specified purpose. For HR teams, this means regularly reviewing what data you collect and asking whether each field is genuinely needed.

Common areas where HR teams over-collect include:

  • Asking for a full date of birth when only the year is needed for age verification
  • Collecting marital status when it is not relevant to benefits or payroll
  • Retaining interview notes and assessment scores long after the hiring decision is made
  • Keeping copies of identity documents after right-to-work verification is complete

Conduct a data audit at least annually. For every field you collect, document why you need it, what lawful basis applies, and how long you will retain it. If you cannot articulate a clear purpose for a data point, stop collecting it.

Employee Rights: Access, Rectification, and Erasure

GDPR gives employees specific rights regarding their personal data. HR teams need to be prepared to handle requests related to these rights within the legally mandated timeframe of one calendar month.

Right of Access (Subject Access Request)

Employees have the right to request a copy of all personal data you hold about them. This includes data in your HRIS, email communications about them, performance reviews, disciplinary records, and any other system where their data resides. You must provide this data in a commonly used electronic format within one month.

The practical implication is that you need to know where all employee data lives across your systems. If employee data is scattered across spreadsheets, email inboxes, shared drives, and multiple SaaS tools, responding to a subject access request becomes a massive manual undertaking. A centralized HRIS dramatically simplifies this.

Right to Rectification

Employees can request that inaccurate data be corrected. This seems straightforward, but it can become complicated with subjective data like performance reviews. As a general rule, factual errors must be corrected. Subjective assessments do not need to be changed, but the employee may have the right to have their disagreement noted alongside the assessment.

Right to Erasure

The right to erasure, sometimes called the right to be forgotten, allows individuals to request deletion of their personal data. However, this right is not absolute. In the employment context, you can retain data that you are legally required to keep, such as tax records, and data that you need for the establishment or defense of legal claims, such as records related to a dismissal that might be contested.

Develop a clear data retention schedule that specifies how long you keep each type of employee data after the employment relationship ends. Typical retention periods range from 1 year for recruitment records to 7 years for payroll and tax records, depending on your jurisdiction.

Cross-Border Data Transfers

If your company operates across multiple countries, you are likely transferring employee data across borders. Under GDPR, transferring personal data outside the EEA requires specific legal mechanisms to ensure the data receives equivalent protection.

The most common mechanisms are:

  • Adequacy decisions: The European Commission has determined that certain countries provide adequate data protection. Transfers to these countries require no additional safeguards.
  • Standard Contractual Clauses (SCCs): Pre-approved contract templates that bind the data recipient to GDPR-equivalent protections. Most SaaS vendors that handle EU data use SCCs.
  • Binding Corporate Rules: Internal policies approved by a data protection authority that govern intra-group transfers. These are typically used by large multinational corporations.

When selecting HR technology vendors, verify that they have appropriate transfer mechanisms in place and can demonstrate compliance. Ask for their Data Processing Agreement (DPA) and review where data is stored and processed.

Practical Steps to Get Compliant

If you are reading this and realizing that your HR data practices need improvement, here is a prioritized action plan:

  • Step 1: Audit your data. Map every type of personal data you collect, where it is stored, who has access, and why you collect it. This is the foundation for everything else.
  • Step 2: Document your lawful basis. For each data processing activity, document which lawful basis applies. Create a Record of Processing Activities (ROPA) as required by Article 30.
  • Step 3: Update your privacy notice. Ensure employees receive a clear, comprehensive privacy notice that explains what data you collect, why, how long you keep it, and what their rights are. This should be part of the onboarding process.
  • Step 4: Implement access controls. Ensure that only people who need access to specific employee data have it. An HR coordinator processing payroll does not need access to disciplinary records. Role-based access control in your HRIS is essential.
  • Step 5: Establish a retention schedule. Define how long you keep each type of data and implement automated deletion or archival processes. Do not keep data indefinitely just because it is easier than cleaning it up.
  • Step 6: Train your staff. Everyone who handles employee data needs to understand their GDPR obligations. This includes HR team members, managers who access HR systems, and IT staff who administer the infrastructure.
  • Step 7: Prepare for requests. Create a process for handling subject access requests, rectification requests, and erasure requests. Document the process, assign responsibility, and test it before you receive a real request.

GDPR compliance is not a one-time project. It is an ongoing practice that requires attention to how data is collected, used, stored, and deleted throughout the employment lifecycle. The good news is that most of what GDPR requires is simply good data hygiene: collect what you need, protect it properly, keep it accurate, and delete it when you no longer need it. A modern HR platform with built-in access controls, audit logging, and retention management makes this dramatically easier than trying to enforce these practices across scattered spreadsheets and email inboxes.

Share this article

Help others discover this content

Related Articles

Best Practices

Building a Culture of Transparency with Audit Logs

How immutable audit trails build trust and simplify compliance.

 Engineering

Multi-Tenant Architecture: How We Built for Scale

How we isolate tenant data with shared-schema architecture and adversarial testing.

Ready to modernize your HR?

Built-in access controls, audit logging, and data retention policies. Free for teams up to 10.

Start Free — 12 Months, All Features