GDPR Checklist for HR Managers and Employers

The General Data Protection Regulation (GDPR) isn’t just another compliance box to tick, it’s the foundation of how you handle employee data. Get it wrong and you’re looking at fines reaching 4% of annual global turnover or £17.5 million, whichever is higher. Get it right and you build trust with your team while protecting your business from regulatory headaches.

This checklist breaks down exactly what HR managers and employers need to know about GDPR compliance in the UK. We’ll cover the practical steps you can take today, the systems that support compliance and the policies that keep you on the right side of the law.

What does this GDPR checklist cover?

This guide walks through the complete GDPR compliance framework for HR departments, from:

• Raising awareness across your leadership team.
• Creating bulletproof data retention policies. 
• How to nominate the right person for data protection.
• How to map your data landscape.
• How to check your IT infrastructure.
• How to update your policies, train your staff and manage third-party relationships.

Each section addresses a specific compliance requirement with actionable steps you can implement immediately. You’ll also find detailed guidance on understanding data protection principles, conducting impact assessments, managing breaches and respecting employee data rights.

By the end, you’ll have a clear roadmap for GDPR compliance that protects both your employees and your business.

Raising awareness

GDPR compliance starts at the top. Your Board of Directors and senior leadership team need to understand that data protection is a business-wide priority, not just an HR problem to delegate and forget.

The responsibility cuts across every department, from IT to marketing to operations. HR holds some of the most sensitive personal data in your organisation: payroll details, health information, performance reviews, disciplinary records and more.

Here are some actions to take:

• Present a GDPR compliance update to your Board showing current risks and gaps.
• Assign clear accountability for data protection at executive level.
• Build data protection into your business strategy, not just your compliance checklist.
• Set measurable goals for GDPR compliance with regular review points.

Getting buy-in from leadership means securing the budget, resources and authority you need to do this properly.

Nominating a data protection officer/privacy manager

Not every business needs to appoint an official Data Protection Officer (DPO), but every business needs someone responsible for data protection compliance. The Information Commissioner’s Office (ICO) requires you to appoint a DPO if you’re a public authority, if your core activities involve large-scale monitoring of individuals, or if you process large-scale special category data.

Even if you don’t meet these criteria, you still need a designated person or team managing your data protection efforts. This person should have the authority to implement changes, the knowledge to understand GDPR requirements and direct access to senior leadership.

Here are a few things to consider:

• Does this person have the time and resources to do the job effectively?
• Do they have the authority to challenge decisions that create compliance risks?
• Are they independent enough to make objective decisions about data protection?
• Can they access training and legal advice when needed?

For small and medium businesses, this responsibility often falls to an HR Director, Operations Manager or external consultant. What matters is that someone owns it.

Creating a data log

Data mapping is where compliance gets real. You need to know exactly what personal data you hold, where it came from, who can access it, why you’re holding it and when you’ll delete it.

Create a comprehensive data processing record (also called a Record of Processing Activities or ROPA) that documents:

• The type of data: Personal data (names, addresses, contact details) or special category data (health information, trade union membership, criminal records, biometric data).
• The categories: Recruitment data, employment contracts, payroll information, performance reviews, absence records, disciplinary files, training records.
• Data subjects: Current employees, former employees, job applicants, contractors, emergency contacts.
• Data sources: Applications submitted by candidates, information provided by employees, references from previous employers, occupational health assessments, background checks.
• Legal basis for processing: Contract performance (to pay employees, manage their employment), legal obligations (tax reporting, health and safety records), legitimate interests (performance management, absence monitoring).
• Legal basis for special category data: Employment law compliance, occupational health requirements, diversity monitoring (with explicit consent)
• Purpose: Recruitment, payroll processing, performance management, absence tracking, compliance reporting.
• Storage and access: HR software systems, physical filing cabinets, shared drives—document who has access to each system.
• Data transfers: Note any sharing with payroll providers, pension administrators, insurance companies, or parent companies (particularly if they’re outside the UK/EU).
• Retention periods: How long you’ll keep application data, employment records and post-employment information.
• Automated decision-making: Recruitment screening tools, performance rating algorithms, absence trigger systems.
• Data protection impact assessments: When you’ll need to conduct these for new systems or high-risk processing.

This log becomes your compliance proof. If the ICO comes knocking, you’ll need to show you know what data you hold and that you’re processing it lawfully.

Checking your IT infrastructure allows you to be compliant

Your technology either supports compliance or undermines it. GDPR requires “data protection by design and default,” which means security and privacy should be built into your systems from the start, not bolted on as an afterthought.

Security measures to implement:

• Strong password policies with regular updates.
• Two-factor authentication for accessing HR systems.
• Encryption on all devices that store or access employee data.
• Access controls limiting who can view sensitive information.
• Regular security audits and penetration testing.

Employee rights to support:

• Can you easily search and export all data relating to a specific employee? (You’ll need this for subject access requests).
• Can you restrict processing of data while keeping it on file? (Required when an employee objects to processing).
• Can you delete data across all systems when legally required?.
• Can you export data in a portable format (.csv, .pdf, .txt) for data portability requests?

Additional considerations:

• Where are your servers located? If they’re outside the UK/EU, you’re transferring data internationally and need adequate safeguards.
• Do managers keep their own records outside the central HR system? How are those secured?
• What happens to hard copy documents taken to meetings, employees’ homes, or client sites?
• Are filing cabinets locked? Are documents shredded when no longer needed?

If your current systems can’t support these requirements, you may need to upgrade your payroll software or HR platform. Modern solutions build these capabilities from the ground up.

Update data protection policies and employment contracts

Your policies need to reflect current GDPR requirements and explain clearly how you handle personal data. Make sure you have the five policies listed below, or that all these points are included in one general policy.

1. Privacy notice for employees

Tell your staff what data you hold, why you’re holding it, who you share it with, how long you’ll keep it and what rights they have. Write this in plain language—legal jargon doesn’t meet the “clear and transparent” requirement.

2. Data protection policy

Set out your organisation’s commitment to data protection and employees’ obligations when handling personal data in their roles. Include security measures, reporting procedures and consequences for breaches.

3. Data breach reporting policy

Create a clear process following ICO guidelines. You have 72 hours to report certain breaches to the ICO, so your team needs to know how to escalate issues immediately.

4. Subject access request policy

You have one month to respond to subject access requests (requests from employees to see their data). Document your process for receiving, reviewing and responding to these requests.

5. Data retention policy

Specify how long you’ll keep different types of data and how you’ll destroy it securely. Keeping data longer than necessary is a GDPR violation.

6. Employment contracts

Be careful about clauses that rely on consent as the legal basis for processing employee data. Consent often isn’t taken to be freely given in employment relationships because of the power imbalance meaning employees can’t freely refuse when their job might depend on it. Consider usings contract performance or legal obligations as your lawful basis for processing data instead.

For more guidance on managing employee information effectively, see our article on employee data management.

Ensure staff have the correct training

Every employee who handles personal data needs training appropriate to their role. Your payroll team needs detailed guidance on processing financial data securely. Your managers need to understand how to handle performance and disciplinary information. Your entire workforce needs to know the basics of data security.

Training should cover:

• What personal data is and why it matters.
• Your organisation’s data protection policies.
• How to recognise and report data breaches.
• Security measures (password policies, device security, email safety).
• Individual rights under GDPR (subject access, erasure, objection).
• Role-specific responsibilities.

Update training regularly—at least annually—and keep records of who’s been trained and when. This demonstrates your commitment to compliance and helps identify gaps when incidents occur.

Health-check relationships with other group companies, other businesses or services

Data doesn’t stay within your HR department. You share it with payroll providers, pension administrators, recruitment agencies, occupational health services and possibly parent or subsidiary companies. Each relationship creates a compliance risk.

• Check your HR software provider: Can your system support data access requests, data portability, erasure and restriction of processing? If not, you need a new provider or a plan to manage these requirements manually. Ask where they store data (UK, EU, or elsewhere) and what security measures they use.
• Review third-party contracts: Every contract with a data processor should include clear data protection obligations. They should only process data according to your instructions, implement appropriate security measures, assist with data subject requests, notify you of breaches and delete or return data when the contract ends.

This includes:

• Recruitment agencies.
• Payroll service providers.
• Pension providers.
• Insurance companies.
• Occupational health services.
• Background check providers.
• Training platform providers.

If you share employee data with parent companies or service providers outside the UK/EU, you need legal mechanisms to legitimise that transfer. Options include:

• UK/EU adequacy decisions (countries deemed to have adequate data protection laws).
• Standard contractual clauses (ICO-approved contract terms).
• Binding corporate rules (for intra-group transfers).

Don’t assume your parent company has an automatic right to employee data. You need a lawful basis for the processing and appropriate safeguards for the transfer.

To understand how GDPR intersects with payroll specifically, read our guide on GDPR and payroll.

GDPR checklist for HR compliance

Here’s your quick-reference compliance checklist:

Awareness and accountability:

• Leadership team briefed on GDPR requirements.
• Data protection responsibility assigned to a specific individual/team.
• Budget allocated for compliance activities.

Documentation:

• Record of Processing Activities (ROPA) created and maintained.
• Privacy notices provided to employees and candidates.
• Data protection policies updated and communicated.
• Employment contracts reviewed and updated.

Systems and security:

• IT infrastructure supports employee rights (access, portability, erasure).
• Security measures implemented (passwords, encryption, access controls).
• HR software provider confirmed GDPR-compliant.
• Data backup and disaster recovery procedures in place.

Training and procedures:

• Data protection training delivered to all staff.
• Subject access request procedure documented.
• Data breach response plan created.
• Data retention schedule implemented.

Third parties:

• Contracts with processors include GDPR clauses.
• International data transfers are protected with appropriate safeguards.
• Regular audits of third-party compliance.

Ongoing compliance:

• Regular reviews of data processing activities.
• Data protection impact assessments conducted for high-risk processing.
• Records of training maintained.
• Incident log maintained.

Understanding data protection principles

GDPR rests on seven core principles. These aren’t just theoretical, they’re legally binding requirements that inform every decision you make about employee data.

1. Lawfulness, fairness and transparency

You must have a legal basis for processing data (contract, legal obligation, legitimate interest, etc.), process it fairly and be transparent about what you’re doing with it.

2. Purpose limitation

Collect data for specific, explicit, legitimate purposes and don’t use it for anything else. If you collected an employee’s phone number for emergency contact purposes, you can’t use it for marketing without a separate legal basis.

3. Data minimisation

Only collect data that’s necessary for your purpose. Don’t ask for information “just in case” you might need it later.

4. Accuracy

Keep data accurate and up to date. Delete or correct inaccurate information promptly.

5. Storage limitation

Don’t keep data longer than necessary. Once the purpose for holding it has expired, delete it securely.

6. Integrity and confidentiality (security)

Protect data against unauthorised access, accidental loss, or destruction using appropriate technical and organisational measures.

7. Accountability

You must demonstrate compliance with these principles. Documentation, policies, training records and impact assessments provide that proof.

These principles should guide every HR decision involving personal data.

Conducting data protection impact assessments

A Data Protection Impact Assessment (DPIA) identifies and minimises privacy risks in new projects or systems. You must conduct a DPIA when processing is likely to result in high risk to individuals’ rights and freedoms.

You should look to conduct a DPIA:

• Implementing new HR technology or software.
• Large-scale processing of special category data (health records, diversity data).
• Systematic monitoring (performance tracking, attendance monitoring).
• Automated decision-making with legal or significant effects.
• Processing data about vulnerable people.

If the DPIA reveals high residual risk even after mitigation, you must consult the ICO before proceeding.

Managing employee personal data securely

Security is both a legal requirement and a practical necessity. You should ensure that the following measures have been taken to secure your data.

Digital security:

• Limit access to HR systems based on job role.
• Use separate user accounts (no shared logins).
• Require strong, regularly updated passwords.
• Enable two-factor authentication.
• Encrypt devices and sensitive files.
• Secure email when sending personal data.
• Use secure file transfer for large data sets.
• Regular software updates and security patches.

Physical security:

• Lock filing cabinets containing personnel files.
• Implement clear desk policies.
• Shred documents before disposal.
• Control access to HR offices.
• Log who accesses physical files and when.

Operational security:

• Conduct right-to-work checks before granting system access.
• Revoke access immediately when employees leave.
• Regularly audit who has access to what data.
• Monitor for unusual access patterns.

Remember: security is about proportionality. The more sensitive the data, the stronger your safeguards should be.

Responding to a data breach effectively

A data breach is any unauthorised access, loss, or disclosure of personal data. This includes employees accessing files they shouldn’t see, laptops stolen from cars, emails sent to the wrong recipient, or hacking incidents.

Here’s how to tackle your breach response plan:

• Step 1: Contain the breach: Stop the breach from getting worse. Change passwords, revoke access, recover stolen devices, recall emails.
• Step 2: Assess the breach: What data was involved? How many people were affected? What’s the risk to those individuals (identity theft, discrimination, embarrassment)?
• Step 3: Notify the ICO (if required): You have 72 hours to report breaches that pose a risk to individuals’ rights and freedoms. High-risk breaches also require notifying affected individuals without undue delay.
• Step 4: Document everything: Record what happened, when you discovered it, what data was involved, the likely consequences and what action you took. You must keep records of all breaches, even those you didn’t report to the ICO.
• Step 5: Review and improve: What allowed this breach to happen? Update your systems, policies, or training to prevent recurrence.

Quick action limits damage and demonstrates accountability to the ICO.

The role of a data protection officer in HR

If you’ve appointed a Data Protection Officer (DPO), they work closely with HR but remain independent. The DPO monitors compliance, advises on impact assessments, maintains documentation and acts as the contact point with the ICO.

Here’s how HR and the DPO work together:

• HR proposes new systems or processes; the DPO reviews them for compliance.
• HR reports breaches to the DPO; the DPO manages ICO notifications.
• HR handles subject access requests with DPO guidance on scope and exemptions.
• HR develops policies; the DPO ensures they meet legal requirements.

The DPO should have the authority to challenge HR decisions that create compliance risks. This independence is crucial, they’re not there to rubber-stamp everything HR wants to do.

Best practices for processing employee data

Beyond legal requirements, these practices improve your data handling:

Limit access

Just because someone works in HR doesn’t mean they need access to all employee data. Implement role-based access controls.

Anonymise where possible

For reporting and analysis, use anonymised or pseudonymised data when you don’t need to identify specific individuals.

Be transparent

Tell employees what you’re doing with their data before you do it. Transparency builds trust.

Review regularly

Schedule quarterly or annual reviews of what data you hold and whether you still need it.

Default to privacy

When designing new processes, choose the most privacy-protective option that still achieves your business purpose.

Document decisions

When you make choices about data processing (what to collect, how long to keep it, who to share it with), write down your reasoning. This demonstrates accountability.

Documenting data processing activities

Your Record of Processing Activities (ROPA) isn’t a one-time exercise, it’s a living document that evolves with your business. Update it when you:

• Implement new HR systems.
• Change your data retention periods.
• Start working with new third-party providers.
• Expand into new countries or jurisdictions.
• Add new categories of data collection.

Keep your ROPA accessible, accurate and detailed enough to demonstrate compliance during an ICO audit. Store it securely but ensure your DPO, senior leadership and relevant HR staff can access it when needed.

Rights of the data subject in HR

GDPR gives employees specific rights over their personal data. HR must respond promptly and accurately to requests. Here are the rights that a person has when it comes to the data you keep about them:

• Right of access: Employees can request copies of their personal data. You have one month to respond (extendable by two months for complex requests). Provide data in a clear, accessible format. For practical guidance on this, see our candidate experience checklist which includes data handling best practices.
• Right to rectification: Employees can request corrections to inaccurate data. Update records within one month.
• Right to erasure (‘right to be forgotten’): Employees can request deletion when data is no longer necessary, processed unlawfully, or they withdraw consent. This isn’t absolute—you can refuse if you have overriding legal obligations (e.g., tax records).
• Right to restrict processing: Employees can request you stop processing data (but keep it on file) in specific circumstances, like when they’re challenging accuracy or contesting processing.
• Right to data portability: Employees can request data in a portable format to transfer to another controller. This mainly applies to data processed based on consent or contract.
• Right to object: Employees can object to processing based on legitimate interests or for direct marketing. You must stop unless you have compelling legitimate grounds.
• Rights related to automated decision-making: Employees can request human review of automated decisions that have legal or significant effects.

Document your procedures for handling each type of request and train staff accordingly.

Responsibilities of data controllers in HR

As a data controller, you determine the purposes and means of processing personal data. This comes with legal responsibilities:

• You’re accountable: You must demonstrate compliance through documentation, policies and procedures.
• You must choose processors carefully: You’re liable if your processors (payroll providers, HR software vendors) breach GDPR. Conduct due diligence before engaging them.
• You must have contracts in place: Written contracts with all processors specifying their obligations.
• You must report breaches: Both to the ICO (when required) and to affected individuals (when there’s high risk).
• You must cooperate with the ICO: Provide information, allow audits and implement recommendations.
• You must respect individual rights: Respond to subject access requests, erasure requests and objections within legal timeframes.

The ICO can fine data controllers up to £17.5 million or 4% of annual global turnover for serious breaches. The responsibility is significant, but so is the risk of getting it wrong.

Creating a GDPR-compliant data retention policy

Keeping data longer than necessary violates GDPR’s storage limitation principle. Create a clear retention schedule specifying:

Recruitment data:

• Successful candidates: Transfer relevant application data to employment file.
• Unsuccessful candidates: Delete within 6-12 months (or immediately if requested).

Employment records:

• Payroll and tax data: Minimum 6 years after employment ends (HMRC requirement).
• Employment contracts: 6 years after employment ends (contract law limitation period).
• Performance reviews: Delete when no longer relevant (typically 1-2 years after employment ends).
• Disciplinary records: Typically 6-12 months after warning expires, or 6 years for gross misconduct cases.
• Training records: While relevant to current role, plus reasonable period after employment ends.

Post-employment:

• References provided to new employers: 6 years.
• Accident and injury records: 12 years (or longer for certain exposures).
• Pension records: Often retained longer for statutory purposes.

Method of destruction:

• Digital data: Secure deletion (not just moved to recycle bin).
• Hard copies: Cross-cut shredding or secure disposal service.
• Devices: Certified data wiping before disposal or recycling.

Review your retention schedule annually and document the business reasons for each retention period.

Turn GDPR Compliance from a Burden into a Built-in Feature

GDPR compliance is ongoing work, not a one-time project. Regulations evolve, your business changes and new risks emerge. Regular reviews, updated training and continuous improvement keep you compliant and protect both your employees and your organisation.

The checklist above provides a solid foundation, but don’t treat compliance as a tick-box exercise. Build a culture where data protection is part of how you work, not something bolted on afterward.

Modern HR systems can automate much of this compliance burden, from managing access rights to handling subject access requests to enforcing retention policies. If you’re struggling to meet GDPR requirements with your current setup, it might be time to assess whether your systems are helping or hindering your compliance efforts.

Why not see how Employment Hero can help you today?