GDPR Compliance for Human Resources

Since the European Union’s General Data Protection Regulation (GDPR) became enforceable on May 25, 2018 there has been a huge responsibility placed on human resources departments of companies that come under its remit.

This is due to the fact that HR departments tend to gather private information about staff, and unsuccessful job applicants, that must be kept safe and managed in a GDPR compliant fashion in order to avoid potential GDPR breaches and the resulting fines.

Taking this into account With this in mind there are key areas that must be addressed in order to ensure that GDPR is being complied in relation to human resources.


One of the biggest challenges for HR professionals, especially those who deal with job applicant data, is assuring an organisation has clear consent from the data subject. Consent must be an active and affirmative action by the individual, not a passive or tacit acceptance. Consent can be removed by the individual as they see fit, further complicating matters.

Controllers must keep a log of when consent was given and when it was rescinded. A quick win is to eliminate pre-agreed options from company literature and instead obtain unequivocal consent from the individual.

Data Retention 

When individuals are applying for a role with a company are they given an appropriate privacy notice, detailing how, why and what any data will be used for? Proper authorization must be obtained for all intended uses of this data.


Often, information will come electronically, via online forms or emailed documents, but paper filing is still commonplace. It is important to keep hard copies and deal with any non-compliant paperwork immediately – this typically means disposal. Organisations should also consider moving away from paper-based documents.


HR departments should focus on training to mitigate legal, financial and reputational risks. Not only will training mean employees are aware of how personal data should be handled, but it will increase accountability.

Appointing a Data Protection Officer

It may be necessary to appoint a Data Officer within the HR department. This person would liaise with the Information Technology department to make sure that everything is being conducted in a GDPR-compliant fashion. It is not mandatory for all companies to hire a designated Data Protection Officer but it is for ‘non-public’ bodies when the chief activities result in constant monitoring of data subjects on a large scale and if these activities include extensive processing of sensitive personal data.

Other considerations
There are a number of different factors that the HR department must take into account as well. Such as the resources available to the company and if they are sufficient for managing the amount of data that it is gathering. IMpact assessments must also be completed so that the suitability can alway be gauged effectively. If not and the company had to use Third party companies if should be ascertain if these entities are operating in line with GDPR.

The most important thing for HR departments to keep in mind, in relation to GDPR compliance, is that a constant dialogue in relation to data protection with staff is vital for keeping private data secure. If this can be maintained then that organization or company will have the best possible chance of adhering with all aspects of GDPR and avoiding all possible penalties.