Why do SMEs need GDPR Compliant HR Software?

GDPR is a legally onerous and potentially time-consuming responsibility for Business Owners HR Managers, and effectively all Employers.  GDPR-compliant HR Software is a major assistance to Business Owners, Managers and the HR Function, easing the impact of GDPR and giving the business the necessary peace of mind.

The General Data Protection Regulation (GDPR) came into effect on 25th May 2018.  Since then, there is one set of data protection rules for all companies operating within the EU.  GDPR is designed to give people more control over their personal data, while also meaning there is a ‘level playing field’ for all businesses where data control and responsibilities are concerned.

But be warned: ‘level playing field’ is a euphemistic way of saying every employer and small business owner had better take the protection of employee data very seriously.  That means securing and managing employee information and details.  And being accountable if you don’t. Employee Data, documents – and anything that relates to their personal and privacy - needs to be stored, secured and managed.  Staff records needs to be stored in one place, with automatic deletion of records when required, as well as verification of this deletion.

"It is important to remember that customer AND employee data is personal data.  Simply storing personal data electronically or in hardcopy constitutes 'processing' personal data."

- Data Protection Commissioner

Learn More

What does GDPR Compliant HR Software do for the owners of SMEs?

  • All Employee data and documents are stored in a GDPR-compliant fashion

  • There is complete version control for all key documents

  • Automatic deletion of records can be effected when required and verification of deletion

  • A clear Audit trail of staff information is maintained and can be called-up when needed

  • The recording, organisation and management of all staff records is in one place, and is secure.

  • Business owners and HR Managers can focus on their key objectives in the knowledge that they are legal, compliant, and taking as little time as possible in achieving this

What rights do Employees have under GDPR legislation?

Under GDPR, Employees have a number of rights with regard to their personal data.

  • They have the right to request access to and rectification or erasure of personal data,
  • The right to restrict processing
  • They can object to processing
  • In certain circumstances the right to data portability. 


An employee should have provided consent for the processing of their data in their Employment Contract


"Being a not for profit, we operate in a complex environment under demanding legislation. HR Duo have partnered with us during significant change in our business giving us confidence and guidance in our decision making."


What are the main responsibilities under GDPR of owner/managers in relation to employee data?

  • To comply with the Data Protection Regulation when dealing with personal data of any kind. 
  • You and your staff must only access, change, erase, copy, or make use of any information (including personal data) if authorised to do so and if it is in keeping with allocated work duties.
  • You must not pass on personal data about any individual where those details are known to you because of the person’s employment with the organisation, unless you have the prior consent of the individual.
  • You must give a description of any data held about an employee on request and the purposes for which it is kept, within 21 days of the date of request. 

"The Regulation also increases very significantly the obligations on organisations that process personal data, requiring greater levels of accountability and transparency in respect of their data processing operations."

- ODPC Statement of Strategy, 2019


Testimonial star image 1 Testimonial star image 2 Testimonial star image 3 Testimonial star image 4 Testimonial star image 5

Are there specific requirements around Employee Data Retention?

There are specific requirements to retain data for periods under different employment related legislation. GDPR compliant software should be capable of managing these periods and provide reports and alerts when the time frames are due to expire.

Employee data, like most data, should only be collected and held for specific and legitimate purposes and should be done in accordance with the GDPR/Data Collection and Retention Policy.

Legislation and regulations frequently inform an employer as to the required length of time that any data needs to be retained. The two tables following set out the required and the recommended data retention times.

Table 1 – Legal Data Retention Requirements


Title of Legislation

Retention Period Specified

Terms of Employment (Information) Acts 1994 to 2012

Duration of employment and one year thereafter

Payment of Wages Act 1991

Six years unless revenue states otherwise

National Minimum Wage Act 2000

Three years

Organisation of Working Time Act 1997

Three years from date of making record

Protection of Young Persons (Employment) Act 1996

Three years

Carer’s Leave Act 2001 - records

Eight years

Carer’s Leave - notice of leave

Three years

Parental Leave Acts 1998 and 2006

Eight years

Parental Leave

One year

Employment Permits Acts 2003 to 2012

Five years or duration of employment



Table 2 – Recommended Data Retention Periods for other data


Title of Legislation

Recommended Retention Period

Maternity Protection Acts 1994-2004

One year

Recruiting (shortlisting, interview notes etc.)

One year

Settlement Agreement and associated documentation

Seven years

Employment Equality Acts 1998-2015

One year

Unfair Dismissals Acts 1977-2015

One year