GDPR Compliance for HR Software: What Every HR Team Needs to Know
HR software holds some of the most sensitive personal data in any organisation. This guide explains what GDPR (and Africa's equivalent data protection laws) require from HR systems — and what to look for in a compliant platform.
Employee data is among the most sensitive personal data an organisation holds. Names, bank account details, health information for benefits, performance reviews, disciplinary records, salary history, home addresses — HR systems hold all of it. This makes HR software a priority area for data protection compliance, and a prime target for regulatory scrutiny when audits happen.
For companies operating in the EU or with EU employees, GDPR applies. For companies in Nigeria, Kenya, South Africa, or Ghana, the NDPR, DPA, POPIA, and DP Act impose similar requirements — often with the same core principles, different enforcement mechanisms, and rapidly tightening standards.
This guide is not legal advice. It's a practical explanation of what the laws require from HR software specifically, and how to assess whether a platform you're evaluating is compliant.
The Core GDPR Principles That Apply to HR Software
Lawful basis for processing
Every piece of employee data you process needs a lawful basis. For most employment data, the basis is contract necessity — you need the data to fulfil the employment contract (paying the employee requires their bank details; managing absence requires recording their leave). For some data — emergency contacts, medical information for occupational health — the basis may be legitimate interests or explicitconsent.
HR software should not encourage you to collect data "just in case." Every field you populate has to have a purpose, and that purpose should be documented. A good HR platform makes this easier by only requesting standard employment fields, not building in optional fields for data you don't need.
Data minimisation
Collect only what you need for a specific purpose. Don't store an employee's full ID scan when you only needed to verify their right to work. Don't keep payroll records for fifteen years when your jurisdiction requires five.
Purpose limitation
Data collected for one purpose (payroll) cannot be repurposed for something else (marketing to the employee's household) without a new lawful basis. HR data must not flow into marketing systems.
Data subject rights
Under GDPR, employees have four rights you must be able to action:
- Right of access (Subject Access Request — SAR): The employee can request a copy of all personal data you hold about them. You have 30 days to respond. Doing this manually in a spreadsheet-based HR system is slow and error-prone; a compliant platform should generate the export automatically.
- Right to rectification: The employee can request correction of inaccurate data. Straightforward — update the record.
- Right to erasure ("right to be forgotten"): The employee can request deletion of their personal data when it is no longer needed for the original purpose. This is nuanced — you still need to retain some records for legal obligations (tax records, health and safety records), but personal identifiers should be stripped where possible.
- Right to data portability: The employee can request their data in a machine-readable format (typically JSON or CSV) that allows them to take it to another provider. This matters when an employee moves to a new employer who uses compatible software.
NDPR note (Nigeria): The Nigeria Data Protection Regulation requires organisations processing personal data to file an annual Data Protection Compliance Audit. If you process employee data with an HR platform, that platform's data processing practices are in scope. Ensure your vendor can provide a data processing agreement and evidence of their security practices.
What to Look For in a GDPR-Compliant HR Platform
Multi-tenant isolation
The platform must guarantee that your employees' data cannot be accessed by other organisations using the same platform. This is implemented through tenant-level data scoping — every record is tagged to your organisation, and API requests are validated against your credentials before returning any data. Ask vendors explicitly how they enforce this, not whether they "have" it.
Data processing agreement (DPA)
Under GDPR Article 28, you must have a signed DPA with every processor who handles personal data on your behalf. This includes your HR software vendor. A DPA specifies what data is processed, for what purposes, with what security measures, and under what sub-processor arrangements. If a vendor refuses to sign a DPA, do not use them.
Actionable data subject rights
The platform should make it possible to respond to a Subject Access Request in under an hour — not a week. Look for:
- One-click data export for any employee record
- A documented erasure process that removes personal identifiers while preserving anonymised aggregates for analytics
- An audit log showing when data subject rights were exercised and by whom
Audit logging
Every access to and modification of personal data should be logged — who accessed it, when, and what they did. This is not just a compliance requirement; it's the first thing a regulator asks for in an investigation.
Encryption at rest and in transit
Personal data must be encrypted both when stored (at rest) and when transmitted (in transit). This is now a baseline expectation, not a premium feature. TLS for transport, AES-256 for storage. Ask for specifics, not assurances.
Sub-processor transparency
Your HR platform likely uses third-party services — cloud hosting, email delivery, AI providers — to deliver its product. These are sub-processors, and under GDPR, you have the right to know who they are and what they do with your data. Look for a published sub-processors page that is kept up to date.
The AI Knowledge Base Question
Modern HR platforms use AI to answer employee questions from an uploaded knowledge base. This raises a specific question: does the AI model train on your employees' data?
The answer depends entirely on the architecture. A retrieval-augmented generation (RAG) system — where the AI searches your documents at query time rather than learning from them — does not train on your data. Your documents are retrieved and cited; they are not used to update the underlying model. This is the correct approach for HR data.
A system that fine-tunes an AI model on your HR data, or sends your data to a model provider without a data processing agreement, creates significant GDPR exposure. Ask any HR AI vendor directly: "Does our data contribute to model training?" and get the answer in writing in the DPA.
African Data Protection Laws: How They Compare
For companies operating across African markets, the regulatory picture is similar in principle to GDPR but varies in enforcement and specific requirements:
- Nigeria (NDPR/NDPA 2023): Requires consent or another lawful basis, mandates a data protection officer for certain organisations, and requires annual compliance audits for data controllers. NITDA is the regulatory authority.
- Kenya (Data Protection Act 2019): Closely mirrors GDPR. Data subject rights (access, erasure, portability) are explicit. The Office of the Data Protection Commissioner (ODPC) enforces it and has become active in investigations.
- South Africa (POPIA): Full enforcement since 2021. Eight conditions for lawful processing, including accountability, purpose specification, and security safeguards. The Information Regulator has issued fines.
- Ghana (Data Protection Act 2012, amended): Older framework but with similar principles. Registration with the Data Protection Commission required for some processing activities.
The practical implication for HR software: choose a vendor who can articulate their compliance position under multiple frameworks — not just "we're GDPR compliant" if you're operating primarily in Nigeria or Kenya. The frameworks overlap substantially, but the nuances matter for local audits.
A Practical Compliance Checklist
Before deploying any HR platform, confirm:
- You have a signed DPA with the vendor
- You know where your data is stored geographically and whether cross-border transfers are lawful
- The platform logs all data access and exports
- You can action a Subject Access Request in under 30 days using the platform's tools
- You can action an erasure request without manually hunting through tables
- The vendor's sub-processors are published and reviewed
- AI features do not use your data for model training without explicit consent
- Your privacy notice has been updated to reflect the new processor relationship
Compliance is not a one-time task. Set a calendar reminder to review your DPA and sub-processor list when you renew your contract, and whenever the vendor announces a major platform change.
HR Onboarding · Automate your onboarding process
Ready to try it yourself?
Set up your AI-powered onboarding bot in under 15 minutes. No credit card required.
Start free 14-day trial