General Data Protection Regulation (GDPR)

Back to HR Glossary

The General Data Protection Regulation (GDPR) is the European Union’s comprehensive data protection law that took effect in May 2018.

Summarise this post with:

chatgptChatgpt perplexityPerplexity geminiGemini grokGrok claudeClaude

What is the general data protection regulation (gdpr)?

The General Data Protection Regulation (GDPR) was passed by the European Union (EU) in 2016 to protect the privacy and personal data of individuals within the EU. It came into effect on May 25th, 2018. The GDPR replaces the 1995 EU Data Protection Directive and strengthens EU data protection laws by giving individuals more control over their data and its use.

Image showing the meaning of the GDPR

It applies to any organization that processes the personal data of EU residents, regardless of whether the organization is located within the EU. The GDPR also requires organizations to appoint a Data Protection Officer (DPO) if they are a public authority, if their core activities involve large-scale processing of certain types of personal data, or if they are a personal data processor. Organizations that fail to comply with the GDPR can face significant fines, up to 4% of their annual global revenue or €20 million (whichever is greater). HBR’s technology research identifies GDPR compliance as a competitive advantage as well as legal requirement : organizations that implement privacy-by-design build customer and employee trust that creates measurable business value beyond mere compliance.

Rights of individuals under gdpr:

The GDPR sets out several rights for individuals regarding their personal data, including:

  • The right to be informed: individuals have the right to be informed about collecting and using their personal data.
  • The right of access: Individuals can access their data and receive a copy.
  • The right to rectification: individuals have the right to have inaccurate personal data rectified.
  • The right to erasure: individuals have the right to have their personal data erased in certain circumstances.
  • The right to restrict processing: individuals have the right to restrict the processing of their personal data in certain circumstances.
  • The right to data portability: individuals have the right to receive their personal data in a format that allows them to move it to another service provider.
  • The right to object: individuals have the right to object to their personal data being processed in certain circumstances.

What is a data protection officer (dpo)?

A Data Protection Officer (DPO) is an individual who is responsible for overseeing an organization’s compliance with the General Data Protection Regulation (GDPR) and other data protection laws. The DPO is responsible for advising the organization on its obligations under the GDPR and monitoring its compliance with the regulation.

The GDPR requires organizations to appoint a DPO if they are a public authority, if their core activities involve large-scale processing of certain types of personal data, or if they are a personal data processor.

The DPO role is independent and not influenced by any other internal roles or departments; this means that DPO can act as an advisor to the management, monitor compliance with GDPR, internal policies, and procedures, and maintain a record of data processing activities. SHRM’s HR data privacy guidance provides detailed frameworks for GDPR-compliant employee data processing, including lawful basis identification, data subject rights responses, and transfer mechanism documentation.

GDPR compliance shapes how HR systems collect, store, and process employee and candidate data. Organizations using pre-employment assessments ensure every hire is grounded in verified skills. A data-driven hiring plan reduces mis-hire risk, while strong talent acquisition practices focused on skills-based hiring help organizations attract and retain top talent.

Frequently asked questions

The General Data Protection Regulation (GDPR) is the European Union’s comprehensive data protection law that took effect in May 2018. It regulates how organizations collect, process, store, and use personal data of EU/EEA residents. It applies globally : any organization that processes data of EU residents must comply, regardless of where the organization is based. Violations can result in fines up to €20 million or 4% of global annual revenue.

GDPR applies to all personal data about employees and job candidates: recruitment data (CVs, interview notes, assessment results), employment records (contracts, payroll, performance), benefits data, health and disability information, disciplinary records, and monitoring data (email, computer use). Employers must have a lawful basis for each type of processing, maintain records, respond to data subject requests, and implement appropriate security measures.

The six lawful bases: (1) Consent (for optional data processing : employees must be able to withdraw without detriment); (2) Contract necessity (data needed to perform the employment contract); (3) Legal obligation (data required by employment law); (4) Vital interests; (5) Public task; (6) Legitimate interests (employer’s legitimate business interests that don’t override employee rights). Most HR processing uses contract, legal obligation, and legitimate interests.

Employee rights include: right to access their personal data; right to rectification (correcting inaccurate data); right to erasure (‘right to be forgotten’ : limited in employment contexts due to legal retention requirements); right to restrict processing; right to data portability; right to object to processing; and rights related to automated decision-making. Employers must respond to requests within one month.

Transferring EU employee data outside the EU/EEA requires: adequacy decisions (transfer to countries EU has deemed adequate, like Japan and the UK post-Brexit); Standard Contractual Clauses (SCCs) from the European Commission; Binding Corporate Rules (BCRs) for multinational groups; or specific derogations. The EU-US Data Privacy Framework (2023) facilitates US-EU transfers for participating organizations.

Fines come in two tiers: (1) Up to €10 million or 2% of global annual turnover for procedural violations (inadequate records, not appointing a DPO when required, insufficient security measures); (2) Up to €20 million or 4% of global annual turnover for substantive violations (processing without lawful basis, violating data subject rights, international transfer violations). The largest recorded fine was €1.2 billion against Meta in 2023.