GDPR for HR: the 12 obligations that actually touch your week
Forget the 99 articles. There are 12 GDPR obligations that show up in normal HR work — DSARs, lawful basis, retention, transfers, breach reporting — and most…
- Lawful basis for employee data is almost never 'consent' — it's contract, legal obligation, or legitimate interest.
- DSAR clock is one month, extendable by two. The clock starts the day the request arrives, not the day you log it.
- Retention schedules per data class — and you must be able to prove deletion, not just claim it.
- Cross-border transfers post-Schrems II require SCCs plus a transfer impact assessment.
The DPO sees GDPR as architecture. HR sees it as a series of weekly choices: should I keep this CV, can I move payroll to a US vendor, what do I send the ex-employee who asked for 'everything you have on me'. These are the 12 that matter.
The 12 obligations
| # | Obligation | What HR does about it |
|---|---|---|
| 1 | Lawful basis per processing activity | Maintain ROPA — record of processing activities — by data class |
| 2 | Privacy notice to candidates + employees | Refresh on hire, on system change, annually |
| 3 | Data minimisation | Don't collect what you can't justify; review every form field |
| 4 | Purpose limitation | Don't reuse employee data for new purposes without notice |
| 5 | Retention schedule | Per data class; auto-deletion where possible |
| 6 | DSAR response (1 month) | Documented intake + redaction process |
| 7 | Right to rectification | User-editable profile + audit log |
| 8 | Right to erasure (limited for employees) | Carve-outs for legal + tax retention |
| 9 | Breach notification (72h) | Defined trigger + escalation tree |
| 10 | DPIA for high-risk processing | Trigger list: monitoring, profiling, large-scale special category |
| 11 | Cross-border transfers | SCCs + TIA for every non-adequate jurisdiction |
| 12 | Vendor contracts (Art. 28) | DPA on every HR system, sub-processor approval |
Handling a DSAR
- Day 0: request arrives. Log it. Acknowledge in writing within 5 days.
- Day 0-7: identity verification (proportionate, not invasive).
- Day 7-21: collect from every system — HRIS, payroll, ATS, performance tool, email mentions, manager notes.
- Day 21-28: redact third-party data, legal-privileged content, ongoing investigation material.
- Day 28-30: deliver in a portable format. Log what was disclosed and what was withheld and why.
Retention you can defend
The defensible answer to 'how long do you keep CVs' is never 'forever'. Map every data type to a retention basis (tax: 7 years; unsuccessful candidate: 6-12 months; employee file: per local law plus statute of limitations). Auto-delete where possible — manual processes drift.
Breach: the 72-hour clock
The 72 hours start when HR becomes aware of the breach — not when the security team finishes investigating. The clock for notifying the supervisory authority cannot be paused to make the report look better.
Read next
All playbooksA workable AI policy isn't a ban and isn't a free-for-all. Here's the four-tier model — green, yellow, red, prohibited — with the language, examples, and…
A deep, plain-English field guide to the SOC 2 controls HR owns — Trust Services Criteria mapping, exact evidence the auditor samples, joiner-mover-leaver…
Ethics in HR isn't a values-poster. It's a decision-making capability under uncertainty. Three classical frameworks — utilitarian (Mill), deontological…