FAQ: Employee Personal Data and GDPR Compliance – For HR Teams 

GDPR, aka. The General Data Protection Regulation 2016/679, became law on May 2018. Broadly, it’s a legal framework with guidelines on the collection and processing of data from individuals in the EU.

GDPR is here to stay, but the future of any organisation is not as clear. There will always be challenges that effect HR and employee data. Some examples are the opening of a new branch location, mergers and acquisitions, joint ventures and taking on new suppliers. 


What personal data should HR Departments be concerned about for GDPR?

Personal data can live in several places in your HR files. They can be CVs in your employee files, application forms in your ATS systems, bank details in your payroll spreadsheets. Essentially all data that can be used to personally identify a person, falls under GDPR.

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’)” -- GDPR, General Provisions Art.4

Pieces of data you may hold in your HR department include but are not limited to:

  • Unique employee id numbers (personal data because they can be traced back to names)
  • Email addresses and mailing lists
  • Employee bank details
  • Genetic data and biometric data if used as identifiers.
  • Location data.
There is also the sub-type of employee personal data, sensitive data, which also fall under GDPR rules:
  • Gender
  • Religion
  • Health details
  • Ethnic data
  • Union membership
  • Criminal convictions
Some HR departments may choose to anonymise personal data because anonymised data does not fall under GDPR. But it takes extreme amounts of care to ensure that all personal identifiers have been removed and that there is no way to un-anonymise that data. If at any point that anonymised data can later be linked to an identifier, then it is pseudonymised. This means that it is still in GDPR’s remit and you are still processing that data.

While the above be collected in theory, there are GDPR principles (see: data minimisation) where this data would not be considered prudent or lawful for HR to hold and process.

Back to FAQ List

What are employee’s data rights under GDPR?

Employee data rights under GDPR include: the right to rectify, the right to forget, data portability and the right to object.

The Right to Rectify: After receiving a response to their Subject Access Request, the employee has the right to review and make amendments on the personal data that is kept. This can be something as simple as a change of address.
The Right to Forget: An employee also has the right to ask for their data to be erased.
Data Portability: The employee can request their data in digital form.
The Right to Object: An employee can refuse to have their data processed.

Employees can withdraw their consent at any time during their employment (this includes any data kept or transferred over from their application stage).

Back to FAQ List

What counts as employee unequivocal consent for GDPR Compliance?

Logs need to be updated with the date when their data consent was given and when consent has been withdrawn. To keep things unambiguous, make sure that consent is unequivocal.

Consent needs to be demonstrable. This can simply be done if you can tick the following boxes in your head:

  • Which employee granted their consent
  • When and how did they grant their consent
  • What information did the employee receive. This is usually sent as a privacy notice.

GDPR-compliant notices contain the following information: The organisation’s name I.e. who is processing the data, also known as the “data controller”; the purpose for the processing; the legal basis for holding and processing the data; the parties in charge of processing; and a restatement of the employee (or data subject’s rights).

You should be prepared to have a legal basis for any data that is kept. Unequivocal consent is one of the points that can be taken under consideration during a case or audit. But it should never be used as the default basis for data processing. Under another GDPR principle (data minimisation), a legitimate interest needs to be substantiated.

Back to FAQ List

What is GDPR’s data minimisation principle? What qualifies as a “legitimate interest” for keeping data processing compliant?

Data minimisation “1. Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)”. This data should be as minimal as possible. GDPR concerns itself with the processing of the this data. Both automated and manual filing systems need to be GDPR compliant within HR data processing.

Some organisations keep a legitimate interest policy for employee data. GDPR itself does not define what qualifies as a legitimate interest. To keep up with best practices, all employee data should be regularly reviewed and then deleted when there is no longer any need. Religion, sex and disability may be useful for recruitment surveys; but if the data isn’t a functional requirement for a role, this non-essential data must be destroyed.

Back to FAQ List

Want more Personal advice?

Our process consultants are here to help you accelerate and simplify your digital transformation journey.

Keep Scrolling to Continue with the FAQ

What is the storage limitation principle under GDPR?

Storage limitation is an essential privacy feature in GDPR. The timeframe for keeping employee data should not extend past what is required for the employee to do their job or work at the organisation.

GDPR itself does not give formal timeframes for keeping data but it does have expectations. Organisations with HR departments (and even those without) should have a document retention policy.

Different categories of information should have different retention schedules. Some of these retention schedules have a basis in national law. Some examples of retention guidelines can be found in the British Standards Institute in the legal admissibility of documents, the Companies Act, and the Data Protection Act. This is an important step for HR when you document your employee data processing for GDPR compliance. More information and examples can be found in the ICO website.

Data that is held too long often ceases to become necessary. If the data is out-of-date with no way of merging old and new information about your employee. You will also be holding inaccurate files. This old data also becomes a liability because it no longer has a legitimate interest or legal basis for keeping it.

Back to FAQ List

How does storage limitation affect Subject Access Requests to HR?

Storage limitation and SAR are tied together through the GDPR transparency principle. You should ensure that your HR document systems can handle SARs. This means processing and honouring them to the response deadline with as little workflow interruption as possible.

An employee has the right to request their data. And HR teams are required to provide it no later than 1-month. It’s extremely important that paper or electronic data is easily retrievable.

When placing an SAR, there are certain best practices when creating a form for the employee to fill out. An SAR form should include the following:

  • the request must be done in writing
  • Contain the full name, contact details and address of the person requesting the SAR
  • Written details of the information that is required and the corresponding date range needed.

Most SARs are done using paper forms. An OCR scanning solution can pull handwritten notes into text. It’s easier to feed signs of consent or awareness into a file storage system if the paper signature is transformed into consumable digital records.

There are exceptional circumstances where delivering a request can be extended to two months, but you would need to have a strong reason for this. Keeping employee personal data organised into easily findable databases with strong e-discovery ensures that SARs are responded to in a timely manner.

Back to FAQ List

What considerations should HR staff take onboard for GDPR data retention and disposal?

The employee data controller or HR staff member must know if each data entry point was via online and electronic form, email, or an e-signature. HR members throughout the organisation need to be aware of where this data is kept and if it’s paper or electronic.

Using electronic records still make it easier in case an external audit is called for. Document metadata can hold very useful information so that you can identify what each file contains. There is basic information such as who created the document and when, but there can also be more granular information such as the employee name and number, start date, type/class of document, etc.

If company policy demands both hard copies and soft copies for official documents, keep on top of retention periods for paper disposal. For the former, e-mail alerts should be setup for the document controller to dispose of the hard copies.

Are your files in more than one folder location? In multiple network drives? The challenge is keeping and organising each piece of data in a way that records are easily retrievable. Even if you have converted paper files to live alongside your electronic HR files with an automated solution, lack of processing documentation, e.g. where those files end up, can still run you afoul of GDPR. Metadata can tell you the “what” of a file, but not the where.

Locating HR employee data and records is crucial in fulfilling an employee’s Right to Forget. But collecting each record and then placing it into a single SAR can also ensure an employee’s GDPR data portability rights (this can be automated). If the data you use is cleaned, updated, and purged regularly; you will also have a smoother running business once you are able to cut through the noise.

Back to FAQ List

How can employee data be protected from security breaches?

Don’t forget that under GDPR, data kept must be held securely. GDPR now requires that security breaches that effect your employees should be reported within 72 hours. The ICO and relevant authorities should be informed, as well as all those whose personal data has been compromised.

If you are dealing with electronic files, ensure that they are hosted under ISO protocol. Or that you are dealing with a managed hosting provider that follows these ISO 27001, ISO 27002, 27017, or 27018.

Other efforts on securing employee data are in line with best practices in IT:

  • Creating document security measures and proper authorisation restrictions on which employee data can be accessed by whom.
  • Following strict authentication best practices (complex passwords!) when determining the authorisation policy.
  • Putting in place secure authentication technologies whether they employee works in-office or remotely via VPN. SSL and TLS should be the sort of phrases you are hearing.
  • Using encrypted technologies for all work communication.
  • Making sure that all company databases or devices that store employee data are encrypted. This goes for company laptops and mobile phones.

There must be consistent communication within your organisation on which of the above are being carried out. Hopefully all of them are!

Back to FAQ List

How can DCS help your HR compliance? 


We have extensive experience working with HR departments that have complex internal process and ambitious future plans. From records from several offices needing to be sorted automatically, to data migrations. Following in-depth discussions with HR professionals, our human resources solutions were tailored to your expressed needs: Employee experience, onboarding and offboarding, and bulk paper conversion.  


DCS Managed Services takes care of paper-to-electronic data transfers of employee and HR files, database hosting to ISO standards, and configuring automation technology so that they mesh well with your current workflows. Our consultants discuss project plans specific to each organisation and can work with your HR department to ensure that all your requirements are ticked. 


How Can We Help?