4 GDPR Tips for HR: What Every Employer Needs to Know

Your HR team processes personal data every single day. Job applications, onboarding documents, performance records: it adds up quickly. And yet, HR is one of the areas where GDPR compliance tends to slip through the cracks.

These four tips will help you get the basics right.

Tip 1: Delete CVs after rejecting a candidate

If you reject a candidate, delete their CV after the hiring process. You cannot hold on to it indefinitely "just in case."

If you want to keep a candidate's CV for future opportunities, you need their explicit consent. Ask them clearly, explain how long you will keep the CV, and make sure you actually stick to that timeframe. Reaching out to someone about a new role five years after they were rejected is not acceptable.

Not sure what counts as a CV or candidate data in the first place? Our post on what is personal data gives a good starting point.

Tip 2: Think twice before copying employee ID cards

Copying employee ID cards is high-risk. An ID card contains a lot of sensitive information, and identity theft is a real concern.

Under data protection rules, ID card copies can only be processed in very limited circumstances. Before you ask for a copy, ask yourself whether you actually need it and whether there is a less intrusive way to verify the information you need.

Tip 3: Apply retention periods consistently

A simple rule of thumb: if you no longer need the data, delete it.

Ask yourself regularly: do we still need this? An ex-employee's performance reviews from five years ago, a CV from a candidate you rejected in 2020, notes from a job interview you never followed up on. If there is no clear reason to keep it, it should go.

Setting up a retention schedule for your HR data is one of the most effective ways to stay compliant without making it complicated. Our post on 5 quick wins to improve your privacy practices covers how to approach this step by step.

Tip 4: Prepare an internal privacy notice for your employees

Your employees have a right to know how their data is used. An internal privacy notice tells them exactly that: what data you collect, why you collect it, how long you keep it, and who has access to it.

This is not optional. If you do not have one yet, this is where to start.

Not sure where your HR processes stand?

We work with startups and scale-ups to make privacy compliance practical and manageable. Get in touch and we will help you figure out what needs attention.