GDPR and Human Resources: 5 mistakes that cost companies dearly

The GDPR (General Data Protection Regulation) does not concern only lawyers or DPOs. Human Resources are on the front line: recruitment, payroll, training, occupational health, administrative management.

‍

At every stage, employees’ personal data circulates and is exposed to risks. A simple oversight can trigger a data breach, loss of employee trust, or a sanction from the CNIL.

‍

So, what are the most common HR mistakes regarding GDPR, and how can they be avoided?

‍

‍

Keeping candidates’ CVs for too long

‍

‍

This is one of the most widespread pitfalls. Many companies keep CVs and cover letters for years, thinking they might be “useful” later.

‍

Mistake: the GDPR sets a maximum retention period of 2 years after the last contact with the candidate.

‍

Example: in 2020, a company was sanctioned by the CNIL for keeping applications for more than 5 years.

‍

• Good practice: set up an automatic deletion or anonymization system for CVs once the deadline has passed.

‍

‍

Accidentally sending sensitive data

‍

‍

A misaddressed email, a payslip sent to the wrong employee, or a salary file shared with an entire team… These errors are common and constitute data breaches.

‍

The CNIL considers this type of incident a serious breach of confidentiality.

‍

• Good practice: secure transmissions with a dedicated HR portal, encrypt sensitive documents, and limit email sharing.

‍

‍

Failing to inform employees of their rights

‍

‍

The GDPR requires informing every employee of their rights: access, rectification, deletion, objection. Too many companies forget to include this information in internal documents.

‍

Result: in the event of an audit, lack of transparency is sanctioned.

‍

• Good practice: add GDPR information notices to the internal regulations, welcome booklet, or HR intranet.

‍

‍

Sharing HR files without access restrictions

‍

‍

Open directories across the company, shared folders without proper permissions, ID documents stored on an accessible server: these are classic security flaws in HR departments.

‍

Such practices directly expose employees’ personal data.

‍

• Good practice: implement strict access rights management, regularly check access permissions, and conduct internal audits.

‍

‍

Overlooking GDPR clauses in outsourcing contracts

‍

‍

HR often relies on external providers: payroll software, recruitment agencies, occupational health services.

‍

Common mistake: signing a contract without clear GDPR clauses. Yet in case of a data breach, the employer remains liable before the CNIL.

‍

Example: in 2022, a company was sanctioned because its payroll provider failed to secure the data of hundreds of employees.

‍

• Good practice: ensure every contract includes clear obligations regarding security, confidentiality, and data retention periods.

‍

‍

FAQ – GDPR and Human Resources

‍

‍

Which HR data is covered by the GDPR?

‍All personal data related to employees and candidates: identity, bank details, payslips, evaluations, health data, family information.

‍

What are the risks for HR in case of non-compliance?

‍Financial penalties of up to 4% of global annual turnover, plus loss of employee trust.

‍

How long can a CV be kept under GDPR?

‍A CV must be deleted no later than two years after the last contact with the candidate.

‍

How can HR data be secured on a daily basis?

‍Limit access to personnel files, use strong passwords, encrypt sensitive documents, and regulate subcontractors.

‍

‍

Conclusion

‍

‍

GDPR mistakes in HR are not trivial. They are costly, both financially and in terms of employer brand.

‍

By avoiding these 5 pitfalls—excessive retention, sending errors, lack of transparency, uncontrolled access, and incomplete contracts—HR protects the company, strengthens employee trust, and becomes a central pillar of data governance.

‍

GDPR compliance in HR is not optional. It is an essential strategy to secure personal data and ensure organizational sustainability.