1. Home>
  2. Resources>
  3. Privacy & Security>
Checklist GDPR

HR and Payroll: Five Steps to GDPR Compliance

    With GDPR on the horizon, are your HR and Payroll departments prepared? With large fines and serious damage to your business’ reputation at stake for non-compliance, here’s how you can become GDPR compliant in five practical steps:

    Deal with the data rights of your employees
    HR and payroll professionals hold a lot of personal and sensitive data, and with GDPR, employees will gain more rights on this data, including right of access, right of correction, and right of erasure. To obtain a good understanding of data subject rights under GDPR, HR and payroll professionals can develop an informative intranet page for employees. This intranet page can explain how employees can manage their personal data and may include a messaging service that allows employees to ask questions relating to GDPR.

    Complete the data register
    In addition to understanding the data rights of employees, HR and payroll professionals will also need to know exactly what personal data they process, who is responsible for it, and how it is processed. However, keeping a record of data processing activities isn’t as daunting as it sounds. A register should include key information such as identification and contact details of the controller, purpose of the processing and categories of personal data processed. It is helpful to divide your inventory into categories and assign information owners to each who can complete and update their assigned personal data register.

    Implementing an appropriate data retention policy
    GDPR crucially introduces the right to be forgotten. Because of this, personal data that is kept longer than required is a liability. HR departments should now begin to establish the reasons you have for keeping your data, and the minimum and maximum retention periods for each category of data. Getting these verified by the legal department means you can ensure these changes are implemented as soon as possible. Don’t forget to check your paper records too.

    Ensuring compliance of your HR and payroll business partners
    Third-party relationships present both risk and opportunity, since GDPR means you are liable as a data controller if you do not have sufficient guarantees that your partners are compliant. However, strong HR and payroll business partners can assist with compliance, reducing the burden on you and your business.
    Review your list of HR and payroll business partners to evaluate if they have access to your personal data and, if they are not compliant, contact them to ensure a GDPR compliant data processing agreement will be put in place.

    Integrating security and privacy measures in your HR processes
    GDPR will introduce more risk management principles into the privacy world. Assess your risks now so you can make the appropriate changes in time.
    Review your project management lifecycle to include steps such as defining and documenting security and privacy requirements as part of every HR and payroll project, and testing requirements before you go live. If leaders of your HR and payroll departments review their current policies from a data subject perspective, this may help highlight potential areas of non-compliance you may otherwise miss.


    These steps should help your HR and payroll departments towards GDPR compliancy. However, it’s important to remember that GDPR will apply to other areas of your business, so it should be a collaboration exercise with other departments. Investigate what else you need to prepare, and, come 25th May 2018, you can rest assured that you are GDPR compliant.