Atlas HR
← Knowledge Hub/HR Policies & Handbook

Data Privacy and HR: GDPR, CCPA, and Beyond

A practical guide to employee data privacy policies, covering what HR collects, lawful bases, retention, employee rights, vendors, breaches, and HR training.

5 min readGlobalUnited StatesUnited Kingdomngin

HR has more sensitive data than almost any team in the company. Salary, bank details, health notes, disciplinary files, immigration documents, emergency contacts, ethnicity fields, performance ratings, family leave, complaints, investigation records, and manager notes all sit somewhere in the HR stack.

Then someone exports "just a quick spreadsheet" to a personal desktop.

Employee data privacy is not an IT side quest. HR collects the data, explains the purpose, grants access, shares it with vendors, and decides how long to keep it. That means HR needs a policy it can actually follow.

Employee data is not less sensitive because the company already employs the person. In many cases, HR data is more sensitive than customer data.

Map what HR collects

Start with an inventory. Most HR privacy policies fail because they list broad categories but do not reflect actual systems.

Typical HR data:

  • Identity and contact details.
  • Government IDs and work authorization.
  • Bank, payroll, tax, and pension details.
  • Compensation, bonus, equity, and benefits.
  • Attendance, leave, timekeeping, and scheduling.
  • Performance reviews and manager notes.
  • Disciplinary and grievance records.
  • Health, disability, accommodation, and sickness records.
  • Diversity data, where lawfully collected.
  • Background checks and references.
  • Device, access, and security logs.
  • Training, certification, and learning records.
  • List every HR system and spreadsheet.
  • Name the data owner.
  • Name who has access.
  • Identify sensitive or special-category data.
  • Record why the data is collected.
  • Record retention period.
  • Record vendors and countries where data is stored.

Identify the lawful basis

Under GDPR-style laws, HR needs a lawful basis for processing personal data and extra conditions for sensitive categories. Consent is often weak in employment because the power imbalance means the employee may not have a real choice.

Common HR bases include:

  • Contract: processing needed to enter or perform the employment contract.
  • Legal obligation: payroll tax, right-to-work checks, statutory leave, health and safety.
  • Legitimate interests: workforce planning, internal administration, security, some investigations.
  • Vital interests: emergency contact use in a serious incident.
  • Explicit consent: limited cases where the employee has a genuine choice.

UK note

The ICO's employment guidance says employers should identify and document a lawful basis before processing worker information. For health information, the ICO notes that legal obligation, contract, and legitimate interests may apply depending on purpose, with special-category conditions also required.

US note

California's CCPA, as amended by the CPRA, gives California residents rights such as know, delete, correct, opt out of sale or sharing, limit sensitive personal information, and non-discrimination. Employers subject to the CCPA should ensure employee privacy notices and request processes cover workforce data.

Use the employee data privacy policy template to document HR data categories, purposes, lawful bases, vendors, retention periods, and employee rights in one place.

Set retention periods

Keeping HR records forever feels safe until a subject access request, breach, or dispute exposes a decade of irrelevant notes. Retention should be deliberate.

Retention depends on:

  • Statutory tax and payroll rules.
  • Employment claim limitation periods.
  • Immigration and right-to-work requirements.
  • Pension and benefits rules.
  • Health and safety obligations.
  • Contract needs.
  • Litigation holds.
  • Local data protection law.

Create a retention schedule by record type. For example, recruitment records may be kept 6 to 24 months depending on law and claim risk. Payroll records often require longer. Investigation files may need separate treatment and restricted access.

Retention is not deletion on autopilot. It is a controlled decision: keep what you need, restrict who can access it, and delete or anonymize when the purpose ends.

Explain employee rights

Your policy should tell employees what rights may apply and how to exercise them. Depending on jurisdiction, rights may include:

  • Access to personal data.
  • Correction of inaccurate data.
  • Deletion, subject to exceptions.
  • Restriction or objection.
  • Portability.
  • Right to know categories and purposes.
  • Right to limit sensitive data use.
  • Right not to be discriminated against for exercising privacy rights.

Do not promise rights globally if they do not exist everywhere. Use language like "depending on your location" and provide a local route for questions.

Control vendors and data sharing

HR vendors hold high-risk data: payroll providers, benefits brokers, background-check companies, HRIS platforms, performance tools, learning platforms, EORs, recruiters, law firms, and wellbeing providers.

Before sharing data, check:

  • What data the vendor needs.
  • Whether the data is necessary.
  • Where it is stored.
  • Whether subprocessors are used.
  • Security controls.
  • Breach notice timing.
  • Deletion or return terms.
  • Cross-border transfer safeguards.
  • Whether AI or analytics are used on employee data.
  1. Review the vendor's data processing agreement.
  2. Confirm the minimum data needed.
  3. Check transfer mechanisms for cross-border processing.
  4. Restrict admin access.
  5. Test breach notification contacts.
  6. Review vendor access annually.

Prepare for breaches

An HR breach can be as simple as emailing a compensation spreadsheet to the wrong manager. The policy should tell employees how to report incidents immediately.

Include:

  • What counts as a suspected breach.
  • Who to contact.
  • What information to include.
  • Do not delete or alter evidence.
  • Expected urgency.
  • Escalation to privacy, legal, IT, and leadership.

UK note

The ICO explains that some personal data breaches must be reported within 72 hours of becoming aware of them. HR should not wait for perfect information before escalating a suspected breach internally.

When you localize the employee data privacy policy template, add country-specific rights, regulator contacts, breach timing, and sensitive-data rules.

Key takeaways

  • HR should inventory employee data before writing privacy promises.
  • Lawful basis, retention, access control, and vendor sharing need documentation.
  • Consent is often weak in employment contexts.
  • Employee rights vary by country and state.
  • HR needs breach escalation habits, not just IT controls.
  • Privacy policies should be reviewed whenever HR systems or vendors change.
Disclaimer: This guide is practical HR reference material, not legal advice. Employment law varies by jurisdiction and changes frequently. Verify current statutory figures, contribution rates, and procedural requirements with qualified local employment counsel before acting on sensitive HR matters.
AH

Written by

Atlas HR Editorial Team

Editorial Team

Published 2026-05-06

The Atlas HR editorial team comprises qualified HR practitioners with expertise across employment law, payroll, compliance, and people operations in Nigeria, India, the United Kingdom, and the United States.

Global HRComplianceEditorial standards

Atlas HR articles are practical HR guidance, not legal advice. For high-risk decisions — dismissal, redundancy, discrimination, statutory entitlements — seek qualified legal counsel in the relevant jurisdiction.