What is the GDPR and how does it impact HR and payroll?

What is the GDPR?

The introduction of the European General Data Protection Regulation (GDPR) in May 2018 had a significant impact on the way that companies who do business in the European Union or who handle EU residents’ personal data manage this information.

With penalties for non-compliance representing 4% of worldwide revenue (or €20 million, whichever is higher), companies cannot afford to ignore the GDPR.


Infographic: GDPR at a Glance

See how HR professionals view the GDPR privacy principles.

What defines “personal data” within the GDPR?

Personal data under the GDPR is literally any information that could identify any aspect of an individual’s personal, public or professional life. Examples include; a person’s name, address, phone number, email address, IP address, and cultural, economic and biometric information.

The GDPR protects not only identifiable individuals, but also individuals who could be "singled out" among others, even if they can’t be directly identified.

New Responsibilities for HR Leaders

Certain articles of the regulation have dominated the headlines – including individuals’ right to be forgotten (having their personal data deleted altogether) or right to access their personal data, for example.

This adds new responsibility for HR leaders to ensure compliance and avoid penalties. The GDPR requires more of HR’s time, more technology, and possibly even more personnel.


Only 14% of payroll professionals have received GDPR training specific to the payroll industry.

Source: Global Payroll Association white paper: “Protecting Personal Data and Payroll Professionals”, 2018

Other GDPR points to consider:

Update your staff and applicants with privacy notices

Under the GDPR, you have to update your staff and applicants with privacy notices that specify what is the purpose of the processing and what is the legal basis for such processing, and whether you are transferring their data out of the EU.

Transfer personal data out of the European Union

HR will have to implement a lawful mechanism to transfer personal data out of the European Union (EU). In order to transfer personal data outside of the EU, companies will have to implement one of the following mechanisms; Binding Corporate Rules, Standard Contractual Clauses, individual consent or send data to a company located in an ‘adequate’ country. ADP has adopted Binding Corporate Rules in 2018.

Notify the data protection authorities within 72 hours

Data controllers, meaning persons or companies making the decision to launch data processing and overseeing the means by which personal data is processed, must notify the Data Protection Authorities within 72 hours of being made aware of a personal data breach unless there is no risk to the rights and freedoms of individuals. Failure to report within this timeframe may result in fines.

Document and demonstrate compliance with the GDPR

HR is now expected to document and demonstrate compliance with the GDPR, such as being able to provide a registry of applications, processes, and categories of data being processed by your organisation.

How an Outsourced HCM Solution Can Help

Given the complexity of compliance, it is not surprising that over three quarters of HR leaders are using the GDPR and other data privacy legislation as a driver for seeking an outsourced HCM solution.

Why outsource? Your company may not have the technical expertise or resources to carry out the necessary requirements of the GDPR, and outsourcing your HR data processing to a cloud-based HCM provider like ADP can go a long way towards reducing the burden of accountability. ADP prepared for the GDPR for a long time prior to its implementation, and can help our clients position themselves to meet the requirements of this demanding new age in European privacy protection.

As of March 2018, ADP ranks among an elite group of companies worldwide to have gained regulators’ approval to implement BCRs as both a data processor (covering the processing of clients’ data) and data controller (covering the data of our employees and other business associates).


Meet the GDPR requirements with ADP’s suite of HCM products

Additional GDPR Insights

Let's find the perfect solution for your business

How can we help today?
Are you a current ADP client?

Talk to Sales: 044 744 97 97

By submitting this form you are informed that ADP may contact you about its products, services, and offers, according to our Privacy statement for Business contacts.