Redstone HR
Home/Glossary/GDPR
Glossary term

GDPR

GDPR is data protection law governing how personal data including employee information must be collected, stored, and processed with individual rights and consent requirements.

See Redstone HR featuresBook a demo

legal-terms

Category

intermediate

Difficulty

7 min read

Read time

2025-01-15

Updated

Definition

Short definition

GDPR is data protection law governing how personal data including employee information must be collected, stored, and processed with individual rights and consent requirements.

Detailed explanation

The General Data Protection Regulation (GDPR) and UK GDPR set rules for processing personal data, including employee information held by employers.

Key principles include lawful basis for processing, purpose limitation, data minimization, accuracy, storage limitation, integrity, and accountability. HR data often relies on contract, legal obligation, or legitimate interest.

Employees have rights including access to their data, rectification, erasure (limited for employment records), and objection to certain processing. Breaches must be reported within 72 hours if significant.

Practical guidance

How it works

Identify lawful basis for each processing activity, document in privacy notices, respond to subject rights requests, report significant breaches.

Best practices

Maintain data processing records

Have employee privacy notice

Train staff on data protection

Implement data retention policy

Plan for subject access requests

Legal context

Legal basis

General Data Protection Regulation (EU) 2016/679; UK GDPR

Jurisdiction: United Kingdom, European Union

Key provisions

Lawful basis required for processing

Data minimization principle

Subject access rights within 1 month

Right to rectification and erasure

Breach notification within 72 hours

Privacy by design requirement

Official source

View official guidance

Frequently asked questions

How long should HR records be kept?

Keep for as long as necessary for the purpose. Common periods: 6 years after employment for most records (legal claims), 3 years for absence records, 40 years for pension. Have a clear retention policy.

Can employees see their personnel file?

Yes, under Subject Access Request rights. Respond within 1 month. Some exemptions apply, such as management planning notes and references given about them to others.