Skip to content
Playbook
AdvancedHRPeopleOps

GDPR for HR: The Data Discipline That Lives in Every People System

The principles, the legal bases for HR processing, the high-risk activities, and the discipline that keeps an HR function clean under GDPR, UK-GDPR, and the…

15 min read Updated 2026-05-24
On this page
60-Second Summary
  • GDPR isn't IT's job — HR is one of the highest-risk processing functions in the company.
  • Consent is rarely the right legal basis for HR processing — use legitimate interests or contract.
  • Data subject access requests (DSARs) from employees and ex-employees are rising fast.
  • Special-category data (health, biometric, union membership) gets its own protection tier.
  • Build a Record of Processing Activities — it's required, and it's also the only way to find your own risk.

Privacy regulators in the EU, UK, Brazil (LGPD), California (CCPA/CPRA), and a growing list of other jurisdictions treat HR as one of the highest-risk processing functions in the company. The volume, sensitivity, and asymmetry of power make it so. This is the working discipline.

The principles, applied to HR

GDPR principles translated to HR practice
  1. 1
    Lawfulness, fairness, transparency
    Tell employees what you collect and why, in plain language — in the employee privacy notice.
  2. 2
    Purpose limitation
    Data collected for recruiting can't quietly be used for product personalization.
  3. 3
    Data minimisation
    Don't collect 'just in case' — if you don't need date of birth for the role, don't store it.
  4. 4
    Accuracy
    Employees can request corrections; build a self-service flow.
  5. 5
    Storage limitation
    Retention schedules by jurisdiction and purpose; automate deletion.
  6. 6
    Integrity & confidentiality
    Access controls, encryption, audit logs — not just for the HRIS, for every people-data store including spreadsheets.
  7. 7
    Accountability
    Document everything. The Record of Processing Activities is mandatory and useful.

Picking the right legal basis

Why HR should almost never rely on consent

Consent under GDPR must be freely given. The employer-employee power asymmetry means most regulators (and courts) view employee 'consent' as not genuinely free. Use contract necessity, legal obligation, or legitimate interests instead — and document the assessment.

Common HR activities and their typical legal basis
ActivityTypical basisNotes
Payroll, tax reportingLegal obligationClear and uncontroversial
Performance reviewsContract necessity / legitimate interestDocument the legitimate interest assessment
Employee monitoring (e.g., Slack archiving, badge logs)Legitimate interest + DPIAProportionality test is critical
Health data for accommodationSpecial category — explicit consent or employment lawStrict access controls
Marketing internal events / surveysLegitimate interestEasy opt-out required
Sharing data with third parties (background check, EAP)Contract or legitimate interest, plus DPA with vendorVendor due diligence required

High-risk HR activities

  • Employee monitoring (productivity software, Slack archiving, video surveillance) — requires DPIA in most cases.
  • Use of AI in hiring (resume screening, video interview analysis) — increasingly regulated (EU AI Act, NYC Local Law 144, EEOC guidance).
  • Cross-border employee data transfer — requires Standard Contractual Clauses or equivalent post-Schrems II.
  • Profiling employees (engagement scoring, attrition risk models) — requires transparency and often human review.
  • Special category data (health, biometric, religion, sexuality, union membership) — explicit protection tier.

DSARs from employees and ex-employees

  • Acknowledge within 30 days; complete usually within 1 month (extendable to 3 if complex).
  • Search every system: HRIS, ATS, performance tools, email, Slack, manager's working files.
  • Redact third-party personal data (other employees mentioned in performance notes) before release.
  • Confidential commercial information may be withheld in some cases — document why.
  • Train every manager that their notes and emails are within scope. BIFF discipline pays off here too.

Operational hygiene

  1. Maintain a Record of Processing Activities (RoPA) listing every HR data flow — system, purpose, basis, retention, transfers.
  2. Privacy notice for employees: one document, plain language, updated when material changes.
  3. DPIA for any new HR system before deployment — most regulators expect this for HR.
  4. Vendor due diligence: every people-data vendor has a signed DPA; high-risk vendors have a recent SOC 2 or equivalent.
  5. Annual deletion sweep: contractors expired, candidates not hired, ex-employees past retention.
Written by Pawan Joshi. Sources cited inline. Last updated 2026-05-24.
Related
Glossary

Read next

All playbooks
Compliance & Employment Law
SOC 2 People Controls: The HR Work That Keeps the Auditor Happy

What SOC 2 actually asks of HR — access provisioning, background checks, training, terminations, separation of duties — and the evidence the auditor wants to…

13 minIntermediate
Employee Relations & Investigations
HR Documentation Standards: If It Isn't Written, It Didn't Happen

The documentation discipline that protects employees, managers, and the company in equal measure. What to write, when, in what system — and what never to put…

14 minIntermediate
HR Tools & Technologies
AI in the HR Stack: What Works, What Doesn’t, What to Pilot

An honest map of where AI is delivering value in HR today, where vendors are overselling, the risk and regulation landscape, and a 30/60/90 pilot framework.

14 minAdvanced
Back to all playbooks