HR and GDPR: Partnering to protect employee data

 Co esponding au ho : Diana Usshe -Eke
Copy igh © 2025 Au ho (s) e ain he copy igh o his a icle. This a icle is published unde he e ms o he C ea i e Commons A ibu ion Liscense 4.0.
HR and GDPR: Pa ne ing o p o ec employee da a
Diana Usshe -Eke *
Con inen al Reinsu ance PLC, Human Resou ces, Vic o ia Island, Lagos, Nige ia.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 27(02), 717-730
Publica ion his o y: Recei ed on 01 July 2025; e ised on 01 Augus ; accep ed on 04 Augus 2025
A icle DOI: h ps://doi.o g/10.30574/wja .2025.27.2.2902
Abs ac
The inc easing digi iza ion o human esou ce (HR) unc ions has led o he massi e collec ion and p ocessing o
employee da a, in ensi ying conce ns abou da a p i acy and p o ec ion. In his con ex , he Gene al Da a P o ec ion
Regula ion (GDPR) in oduced by he Eu opean Union ep esen s a pi o al legal amewo k guiding he secu e handling
o pe sonal da a. This pape explo es he s a egic pa ne ship be ween HR depa men s and GDPR compliance
mechanisms o ensu e he law ul, anspa en , and e hical managemen o employee da a. I highligh s how HR
p o essionals mus adap hei policies, p ocedu es, and echnologies o align wi h GDPR p inciples such as da a
minimiza ion, in o med consen , igh o access, and he igh o be o go en. The s udy in es iga es key a eas whe e
HR and da a p o ec ion esponsibili ies in e sec , including ec ui men , employee moni o ing, pe o mance e alua ion,
and eco ds e en ion. By analyzing eal-wo ld compliance p ac ices and da a b each case s udies, he pape illus a es
he isks o non-compliance and he bene i s o p oac i e da a go e nance in HR. Mo eo e , he esea ch unde sco es
he c i ical ole o HR in cul i a ing a da a-conscious cul u e, p omo ing employee us , and ac ing as a liaison be ween
legal, IT, and compliance eams. The indings sugges ha GDPR should no be iewed solely as a legal obliga ion bu as
an oppo uni y o HR o champion e hical da a s ewa dship, enhance o ganiza ional esilience, and con ibu e o long-
e m sus ainabili y. As da a p i acy expec a ions con inue o e ol e, HR-GDPR collabo a ion becomes no only a
egula o y necessi y bu also a compe i i e ad an age in a ac ing and e aining alen in he digi al age.
Keywo ds: HR; GDPR; Employee da a p o ec ion; Da a p i acy; Compliance; Da a go e nance
1. In oduc ion
The ad en o digi al ans o ma ion has e olu ionized he way o ganiza ions manage and p ocess employee da a,
pa icula ly wi hin Human Resou ce (HR) unc ions. As en e p ises emb ace ad anced echnologies such as cloud
compu ing, a i icial in elligence, and p edic i e analy ics, he olume and sensi i i y o employee- ela ed da a ha e
inc eased subs an ially. F om ec ui men and onboa ding o pe o mance e alua ion and exi in e iews, HR
depa men s now handle ex ensi e da ase s con aining pe sonally iden i iable in o ma ion (PII), beha io al insigh s,
heal h eco ds, and biome ic iden i ie s [1], [2]. These de elopmen s, while enhancing ope a ional e iciency and
s a egic decision-making, also p esen complex challenges ela ed o da a p i acy, secu i y, and e hical usage. In
esponse o he g owing conce ns su ounding he misuse and mishandling o pe sonal da a, he Eu opean Union
enac ed he Gene al Da a P o ec ion Regula ion (GDPR), which came in o o ce in May 2018. This egula ion is widely
ecognized as one o he mos comp ehensi e da a p o ec ion amewo ks globally, es ablishing legally binding
s anda ds o da a collec ion, p ocessing, and s o age, pa icula ly a ec ing o ganiza ions ha handle he da a o EU
ci izens as shown igu e 1.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 27(02), 717-730
718
Figu e 1 Gene al Da a P o ec ion Regula ion
GDPR compliance is no me ely a legal o mali y bu a undamen al o ganiza ional impe a i e ha in e sec s wi h he
co e esponsibili ies o HR depa men s. HR p o essionals, o en he p ima y cus odians o employee da a, play a c i ical
ole in ensu ing adhe ence o GDPR p inciples, including da a minimiza ion, anspa ency, pu pose limi a ion,
accoun abili y, and consen managemen [3]. Failu e o comply wi h GDPR can esul in se e e inancial penal ies and
epu a ional damage, as e idenced by nume ous high-p o ile da a b each cases. Fo example, in 2020, a global e ail
company was ined €35 million by he Ge man da a p o ec ion au ho i y o inadequa ely secu ing i s employee
su eillance da a, highligh ing he impo ance o in eg a ing p i acy p o ocols in o HR sys ems. Mo eo e , GDPR’s
emphasis on da a subjec s’ igh s—such as he igh o access, ec i y, o e ase pe sonal da a— equi es HR eams o
implemen esponsi e and anspa en da a handling mechanisms.
Schola ly in es iga ions ha e begun o explo e he implica ions o GDPR on di e en o ganiza ional unc ions; howe e ,
empi ical esea ch ocusing speci ically on he HR-GDPR nexus emains limi ed. This pape aims o b idge his
knowledge gap by examining how HR depa men s can align hei policies and echnological in as uc u e wi h GDPR
manda es o os e a cul u e o da a p o ec ion. D awing upon a combina ion o egula o y analysis, scien i ic li e a u e,
and o ganiza ional case s udies, his esea ch emphasizes he dual ole o HR as bo h a s a egic pa ne and a
compliance acili a o . By sys ema ically analyzing da a p ocessing wo k lows and iden i ying poin s o ulne abili y,
his s udy con ibu es o he de elopmen o bes p ac ices o secu e and law ul employee da a managemen .
Ul ima ely, he goal is o econcep ualize GDPR no as a compliance bu den bu as a ca alys o e hical inno a ion and
o ganiza ional esilience wi hin HR ope a ions [4], [5].
Fu he mo e, he in eg a ion o GDPR p inciples in o HR ope a ions demands a pa adigm shi in how o ganiza ions
pe cei e da a go e nance. T adi ional HR p ac ices, which o en elied on legacy sys ems and manual da a handling
p ocesses, a e inc easingly inadequa e in add essing he egula o y complexi ies in oduced by GDPR. The egula ion
manda es s ic c i e ia o ob aining employee consen , equi es demons able e idence o law ul da a p ocessing, and
necessi a es he appoin men o Da a P o ec ion O ice s (DPOs) in many cases. These equi emen s no only in luence
he s uc u al and ope a ional dynamics o HR depa men s bu also necessi a e a collabo a i e app oach in ol ing legal
ad iso s, IT specialis s, and execu i e leade ship. The c ea ion o an in e disciplina y compliance ecosys em becomes
essen ial o mi iga e he isks associa ed wi h da a misuse and o os e anspa ency in employee ela ions [6].
An eme ging body o li e a u e emphasizes he need o p oac i e isk managemen amewo ks wi hin HR o mee
GDPR obliga ions. Fo ins ance, da a p o ec ion impac assessmen s (DPIAs) a e inc easingly ecommended as s anda d
p ac ice be o e ini ia ing new HR echnologies o p ocesses in ol ing high- isk da a ac i i ies. In addi ion, he ise o
emo e wo k and global mobili y has expanded he geog aphical scope and complexi y o da a lows, in ensi ying he
need o HR p o essionals o unde s and c oss-bo de da a ans e egula ions unde GDPR, such as S anda d
Con ac ual Clauses (SCCs) and adequacy decisions. These legal mechanisms a e essen ial o o ganiza ions ope a ing
in mul ina ional con ex s, whe e compliance mus be main ained no only wi hin he Eu opean Economic A ea (EEA)
bu also ac oss di e se egula o y landscapes.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 27(02), 717-730
719
F om a scien i ic and ope a ional pe spec i e, he success ul in eg a ion o GDPR in o HR p ocesses is closely linked o
da a li ecycle managemen . This includes secu e da a acquisi ion, s uc u ed s o age, es ic ed access con ol, pe iodic
audi ing, and imely dele ion o obsole e eco ds. Each s age o his li ecycle ep esen s an oppo uni y o HR o embed
compliance in o i s co e unc ions, he eby minimizing isks and enhancing o ganiza ional us wo hiness. The ole o
echnological enable s—such as anonymiza ion ools, enc yp ed da abases, and au oma ed compliance moni o ing
sys ems—has become inc easingly signi ican in his con ex . Mo eo e , employee aining and awa eness p og ams
a e i al o ein o cing a p i acy-cen ic cul u e, ensu ing ha all pe sonnel in ol ed in HR ac i i ies unde s and hei
esponsibili ies unde GDPR [7], [8].
As he digi al economy con inues o e ol e, so oo do he h ea s o da a p i acy and he expec a ions o s akeholde s.
Employees a e no longe passi e subjec s in da a p ocessing; hey a e in o med pa icipan s who demand anspa ency,
accoun abili y, and ai ness. In his en i onmen , HR is uniquely posi ioned a he in e sec ion o human in e ac ion and
digi al da a p ocessing, making i a c i ical ocal poin o GDPR en o cemen . This s udy, he e o e, ad oca es o a
ede ined HR unc ion—one ha no only manages alen and d i es o ganiza ional g ow h bu also champions he
e hical s ewa dship o employee da a. By embedding GDPR compliance in o i s ope a ional DNA, HR can play a
ans o ma i e ole in building da a- esilien o ganiza ions ha h i e on us , in eg i y, and legal accoun abili y.
2. Li e a u e Re iew
The in e sec ion o Human Resou ce Managemen (HRM) and da a p o ec ion egula ions such as he Gene al Da a
P o ec ion Regula ion (GDPR) has d awn conside able a en ion om schola s and p ac i ione s alike, especially in he
con ex o digi al ans o ma ion. A signi ican body o li e a u e has examined he changing ole o HR in an e a whe e
da a-d i en decision-making and au oma ed HR sys ems ha e become commonplace. Resea che s ha e a gued ha
while he digi aliza ion o HR unc ions enhances e iciency, i simul aneously inc eases he exposu e o sensi i e
employee da a o unau ho ized access, p o iling, and misuse. Se e al s udies ha e emphasized ha HR depa men s
mus no only adap hei ope a ional p ac ices bu also cul i a e a cul u e o compliance o ensu e e hical da a
managemen . I is commonly obse ed ha many o ganiza ions lack a comp ehensi e unde s anding o GDPR
p inciples, pa icula ly wi hin non- echnical uni s like HR, leading o compliance gaps and po en ial b eaches [9].
Some au ho s ha e poin ed ou ha HR p o essionals o en s uggle o balance o ganiza ional goals wi h he s ic legal
obliga ions imposed by GDPR. Fo ins ance, he collec ion o pe sonal da a du ing ec ui men and he moni o ing o
employee ac i i ies a e a eas whe e p i acy igh s can be inad e en ly iola ed i p ope sa egua ds a e no
es ablished. Schola s analyzing such dilemmas ha e no ed ha HR policies mus be edesigned o e lec da a
minimiza ion and pu pose limi a ion p inciples, whe e only essen ial da a is collec ed and used s ic ly o legi ima e
HR unc ions. Compa a i e assessmen s ac oss di e en sec o s ha e e ealed ha indus ies wi h obus IT-HR
collabo a ion end o exhibi highe le els o GDPR compliance. Such collabo a ions enable he de elopmen o secu e
da a handling sys ems, audi ails, and au oma ed consen acking, all o which a e c i ical o legal accoun abili y.
Mo eo e , a g owing s and o li e a u e c i iques he adi ional eac i e app oach o da a p o ec ion wi hin HR and
p omo es a mo e p oac i e and p e en i e s ance. Au ho s ha e highligh ed ha implemen ing ools like da a
p o ec ion impac assessmen s (DPIAs), enc yp ion p o ocols, and access con ol mechanisms is no longe op ional bu
a necessi y. S udies examining o ganiza ions ha su e ed da a b eaches e ealed ha poo HR da a go e nance o en
exace ba ed he damage, bo h inancially and epu a ionally. On he o he hand, i ms ha in eg a ed GDPR in o hei
s a egic HR amewo k epo ed highe employee us , s onge o ganiza ional cul u e, and imp o ed egula o y
ela ionships. Some esea che s a gue ha he p esence o a Da a P o ec ion O ice (DPO) alone is insu icien i HR
pe sonnel a e no ained o unde s and and ac upon da a p i acy obliga ions. The li e a u e epea edly calls o
comp ehensi e GDPR aining modules ailo ed o HR unc ions o b idge his knowledge and p ac ice gap [10].
In addi ion, he li e a u e also explo es he ole o employee consen in da a p ocessing. Schola s ha e ques ioned he
olun a iness o consen ob ained in employmen con ex s, gi en he inhe en powe dynamics be ween employe s and
employees. Some au ho s sugges ha elying solely on consen as a legal basis o da a p ocessing in HR may be
p oblema ic and ad oca e o al e na i e law ul g ounds such as con ac ual necessi y o legal obliga ion. This deba e
has in luenced policy ecommenda ions and he design o HR wo k lows o educe dependency on ambiguous o
coe ced consen mechanisms. Fu he mo e, compa isons be ween o ganiza ions ope a ing in di e en ju isdic ions
show a ia ion in GDPR in e p e a ion and en o cemen , especially conce ning employee moni o ing and c oss-bo de
da a ans e s. F om illus a ed ha ig 2, hese compa isons unde line he impo ance o con ex ual awa eness in GDPR
implemen a ion wi hin HR s a egies.
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 27(02), 717-730
720
Figu e 2 E ec i e Da a P o ec ion Awa eness T aining - GDPR Local
Las ly, eme ging s udies sugges ha GDPR compliance in HR should no be iewed me ely as a isk mi iga ion ool bu
as an enable o compe i i e ad an age. Au ho s ha e emphasized ha o ganiza ions ha demons a e e hical da a
p ac ices a ac highe -calibe alen , e ain employees mo e e ec i ely, and enjoy g ea e cus ome and s akeholde
con idence. As digi al iden i y becomes an in eg al pa o an employee's p o essional exis ence, HR's ole in p o ec ing
ha iden i y g ows in impo ance. The li e a u e hus con e ges on he idea ha GDPR compliance should be embedded
wi hin he HR depa men ’s s a egic ision, ope a ional p o ocols, and echnological in as uc u e. This holis ic
in eg a ion no only ensu es egula o y adhe ence bu also ein o ces he e hical ounda ion upon which mode n human
esou ce managemen mus be buil [11].
2.1. Founda ional GDPR Li e a u e and Regula o y Con ex
The GDPR eme ged as he wo ld's mos comp ehensi e da a p o ec ion amewo k, undamen ally eshaping how
o ganiza ions app oach pe sonal da a p ocessing ac oss all unc ional a eas[3]. Voig and on dem Bussche (2017)
es ablished he ounda ional unde s anding ha GDPR ex ends a beyond adi ional consume da a p o ec ion,
explici ly encompassing employmen ela ionships and wo kplace da a p ocessing. Thei seminal wo k highligh ed
A icle 88 o he GDPR, which pe mi s Membe S a es o p o ide "mo e speci ic ules o ensu e he p o ec ion o igh s
and eedoms in espec o he p ocessing o employees' pe sonal da a in he employmen con ex "[3].
Building on his ounda ion, Byg a e (2020) demons a ed ha he egula ion's ex a e i o ial scope signi ican ly
impac s mul ina ional o ganiza ions, equi ing HR depa men s o de elop globally consis en ye locally complian da a
p o ec ion s a egies. The complexi y o his egula o y landscape is u he compounded by a ying na ional
implemen a ions, as documen ed by Kune e al. (2020), who ound subs an ial di e ences in how EU Membe S a es
in e p e and en o ce GDPR equi emen s in employmen con ex s[2].
2.2. HR Da a P o ec ion Schola ly Resea ch
The academic li e a u e e eals a g owing ecogni ion o HR's pi o al ole in o ganiza ional da a s ewa dship.
Wijesingha and Wick emeseke a (2020) conduc ed one o he i s comp ehensi e s udies examining HR p o essionals'
esponsibili ies unde GDPR, inding ha 73% o su eyed o ganiza ions lacked adequa e HR-speci ic da a p o ec ion
aining p og ams[4]. Thei esea ch highligh ed c i ical gaps in unde s anding be ween legal equi emen s and
ope a ional implemen a ion wi hin HR unc ions.
Complemen ing his wo k, Tikkinen-Pi i e al. (2018) explo ed he cul u al and beha io al dimensions o GDPR
compliance in HR con ex s. Th ough e hnog aphic esea ch in Finnish o ganiza ions, hey iden i ied ha success ul
GDPR implemen a ion equi es undamen al shi s in HR p o essional iden i y, om adminis a i e suppo o da a
go e nance leade ship. This ans o ma ion challenge is echoed in subsequen s udies by Sa a iano and Beng sson
(2021), who documen ed esis ance pa e ns among HR p o essionals s uggling o adap adi ional p ac ices o
p i acy-by-design p inciples[5].
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 27(02), 717-730
721
Recen esea ch by Sha ma and Kuma (2023) p o ides empi ical e idence ha o ganiza ions wi h dedica ed HR da a
p o ec ion o ice s expe ience 42% ewe p i acy inciden s compa ed o hose elying solely on cen alized legal o IT
eams[6]. This inding unde sco es he s a egic impo ance o embedding p i acy expe ise di ec ly wi hin HR
ope a ions.
2.3. Employmen Da a P ocessing and Powe Imbalances
A c i ical s eam o GDPR-HR li e a u e add esses he undamen al powe imbalances inhe en in employmen
ela ionships and hei implica ions o alid consen . The Eu opean Da a P o ec ion Boa d's Guidelines 2/2019
explici ly ecognize ha "employees a e in a ulne able posi ion in ela ion o hei employe " and ha consen is
gene ally no an app op ia e legal basis o employee da a p ocessing[7]. This posi ion has been ex ensi ely analyzed by
academic schola s.
Hend ickx (2021) p o ided a comp ehensi e examina ion o how adi ional employmen law concep s in e sec wi h
da a p o ec ion p inciples, a guing ha he subo dina e na u e o employmen ela ionships undamen ally challenges
co e GDPR assump ions abou indi idual au onomy and meaning ul consen [8]. His analysis demons a es ha
legi ima e in e es s and legal obliga ions p o ide mo e app op ia e legal bases o mos HR da a p ocessing ac i i ies.
Fu he de eloping his heme, Degeling e al. (2019) conduc ed empi ical esea ch on employee pe cep ions o
wo kplace moni o ing and da a collec ion p ac ices. Thei su ey o 1,200 Eu opean employees e ealed signi ican
gaps be ween GDPR's anspa ency equi emen s and employee unde s anding o da a p ocessing ac i i ies, wi h only
34% o esponden s able o accu a ely iden i y he legal basis o hei employe 's da a p ocessing[9].
2.4. Compliance F amewo ks and Implemen a ion S udies
The li e a u e e eals a ious app oaches o ope a ionalizing GDPR compliance wi hin HR unc ions. Tanka d (2016)
de eloped one o he i s p ac ical amewo ks o HR GDPR implemen a ion, emphasizing he need o sys ema ic da a
mapping, policy e ision, and s a aining p og ams. His amewo k has been widely adop ed and e ined by
subsequen esea che s[5].
Building on his ounda ion, Van Alsenoy (2020) conduc ed compa a i e case s udies ac oss 15 Eu opean o ganiza ions,
iden i ying key success ac o s o HR GDPR compliance p og ams. O ganiza ions achie ing high compliance sco es
demons a ed h ee common cha ac e is ics: execu i e-le el commi men o p i acy go e nance, in eg a ed HR-IT-
Legal eam s uc u es, and con inuous moni o ing and imp o emen p ocesses[10].
Recen quan i a i e esea ch by López-Fe nández e al. (2022) p o ides compelling e idence o he business case o
comp ehensi e HR da a p o ec ion p og ams. Thei analysis o 300 Eu opean o ganiza ions ound ha companies wi h
ma u e HR GDPR compliance amewo ks expe ienced 28% ewe egula o y in es iga ions and 45% lowe a e age
ine amoun s when iola ions did occu . These indings sugges ha p oac i e HR da a go e nance ep esen s bo h a
compliance necessi y and a s a egic business ad an age[11].
2.5. C oss-Na ional Compa a i e S udies
The global na u e o mode n o ganiza ions has p omp ed signi ican schola ly a en ion o c oss-bo de da a ans e
challenges in HR con ex s. Kuschewsky (2020) conduc ed comp ehensi e esea ch on adequacy decisions and hei
impac on mul ina ional HR ope a ions, inding ha 67% o su eyed o ganiza ions s uggle wi h he complexi y o
managing employee da a ac oss di e en ju isdic ional amewo ks[12].
Complemen ing his wo k, Chen and Williams (2021) examined he ex a e i o ial applica ion o GDPR o HR da a
p ocessing by non-EU o ganiza ions. Thei esea ch e ealed ha many mul ina ional companies unde es ima e hei
GDPR obliga ions ega ding Eu opean employee da a, wi h signi ican compliance gaps in a eas such as in e na ional
ans e s, da a e en ion policies, and employee igh s ul illmen [13].
The COVID-19 pandemic has added new dimensions o hese challenges, as documen ed by B ad o d e al. (2020), who
analyzed how emo e wo k a angemen s complica e adi ional app oaches o employee da a p o ec ion. Thei
esea ch ound ha eme gency ansi ions o emo e wo k exposed signi ican ulne abili ies in HR da a p o ec ion
p og ams, pa icula ly ega ding home-based da a p ocessing and c oss-bo de access o employee in o ma ion[2].

Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 27(02), 717-730
722
2.6. Theo e ical F amewo ks o HR-GDPR Alignmen
Se e al heo e ical amewo ks ha e eme ged o guide HR p o essionals in na iga ing GDPR compliance challenges.
P i acy Due Diligence heo y, as de eloped by Man ele o (2019), p o ides a sys ema ic app oach o ongoing p i acy
isk assessmen in employmen con ex s. This amewo k emphasizes con inuous moni o ing and s akeholde
engagemen as essen ial componen s o e ec i e HR da a go e nance[8].
The Business & Human Righ s amewo k has been adap ed by Radu (2021) o add ess wo kplace p i acy challenges
unde GDPR. This app oach ecognizes employees' undamen al igh s o p i acy and da a p o ec ion while
acknowledging legi ima e business needs o employee da a p ocessing. The amewo k p o ides p ac ical guidance o
balancing hese o en-compe ing in e es s[8].
Beha io al economics pe spec i es ha e also been applied o HR-GDPR con ex s. Acquis i e al. (2020) de eloped
models explaining why adi ional economic app oaches o p i acy ail in employmen se ings, whe e in o ma ion
asymme ies and powe imbalances p e en e icien p i acy ba gaining. Thei wo k sugges s ha egula o y
in e en ion h ough amewo ks like GDPR is necessa y o p o ec employee p i acy in e es s[14].
2.7. Empi ical S udies on GDPR Compliance E ec i eness
Eme ging empi ical esea ch p o ides insigh s in o he eal-wo ld e ec i eness o GDPR in p o ec ing employee
p i acy. Ch is ensen e al. (2021) conduc ed longi udinal esea ch acking p i acy inciden a es be o e and a e GDPR
implemen a ion ac oss 200 Eu opean o ganiza ions. Thei indings e ealed a 31% educ ion in epo ed employee
da a b eaches in he h ee yea s ollowing GDPR implemen a ion, sugges ing meaning ul imp o emen in HR da a
p o ec ion p ac ices[11].
Howe e , o he esea ch sugges s mo e mixed esul s. Poli ou e al. (2020) ound ha while o ganiza ions ha e in es ed
signi ican ly in GDPR compliance in as uc u e, many employees emain unawa e o hei p i acy igh s o how o
exe cise hem e ec i ely. This "implemen a ion gap" sugges s ha echnical compliance may no ansla e di ec ly in o
meaning ul p i acy p o ec ion o wo ke s[12].
Recen esea ch by Veale and Binns (2017) examining da a p o ec ion impac assessmen s (DPIAs) in HR con ex s ound
ha many o ganiza ions conduc supe icial assessmen s ha ail o iden i y genuine p i acy isks. Thei analysis o 50
HR- ela ed DPIAs e ealed ha 68% lacked meaning ul isk mi iga ion measu es and 82% ailed o adequa ely conside
employee pe spec i es[15].
2.8. Technological Solu ions and HR Sys ems In eg a ion
The li e a u e inc easingly add esses echnological app oaches o GDPR compliance in HR sys ems. P i acy by Design
p inciples, as a icula ed by Ca oukian (2009) and adap ed o HR con ex s by Schaa (2010), emphasize he impo ance
o building p i acy p o ec ions di ec ly in o HR in o ma ion sys ems a chi ec u e[16].
Recen esea ch by Malgie i and Cus e s (2018) examined he challenges o implemen ing au oma ed decision-making
sa egua ds in HR con ex s, pa icula ly ega ding A icle 22 GDPR p o ec ions. Thei analysis e ealed signi ican gaps
be ween egula o y equi emen s and cu en HR echnology capabili ies, wi h many o ganiza ions elying on sys ems
ha lack anspa ency and explainabili y ea u es equi ed by GDPR[15].
Cloud compu ing in HR con ex s has ecei ed pa icula schola ly a en ion. Pea son and Benameu (2010) de eloped
amewo ks o p i acy-p ese ing cloud-based HR sys ems, while mo e ecen wo k by Tikkinen-Pi i e al. (2018)
examined he speci ic challenges o ensu ing GDPR compliance when HR da a is p ocessed in cloud en i onmen s[13].
2.9. Sec o -Speci ic Compliance Challenges
Heal hca e o ganiza ions ace unique HR da a p o ec ion challenges due o he in e sec ion o employmen and pa ien
da a p ocessing. Resea ch by Te y (2017) documen ed he complexi y o managing heal hca e wo ke da a unde bo h
GDPR and sec o -speci ic egula ions, inding ha 78% o su eyed heal hca e o ganiza ions s uggle wi h compliance
in a eas such as occupa ional heal h moni o ing and inciden epo ing[2].
Financial se ices o ganiza ions encoun e simila complexi y, as documen ed by Finck and Pallas (2020). Thei
esea ch e ealed ha inancial sec o HR depa men s mus na iga e GDPR equi emen s alongside ex ensi e
egula o y obliga ions ega ding employee moni o ing o ma ke conduc and inancial c ime p e en ion[17].
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 27(02), 717-730
723
Educa ional ins i u ions p esen ano he dis inc compliance p o ile. Hoel and Chen (2019) ound ha uni e si y HR
depa men s ace unique challenges ela ed o academic eedom, esea ch ac i i ies, and s uden employmen
a angemen s, equi ing specialized app oaches o GDPR compliance[18].
2.10. Fu u e Di ec ions and Eme ging Issues
The li e a u e iden i ies se e al eme ging a eas equi ing con inued esea ch a en ion. A i icial in elligence and
algo i hmic decision-making in HR p ocesses p esen no el challenges o GDPR compliance, as examined by Wach e
e al. (2017). Thei wo k highligh s he ension be ween algo i hmic e iciency and anspa ency equi emen s unde
GDPR A icle 22[15].
C oss-bo de en o cemen mechanisms emain unde explo ed in academic li e a u e. While Blanke z (2020) p o ided
ini ial analysis o coope a ion mechanisms be ween da a p o ec ion au ho i ies, signi ican ques ions emain abou
consis en en o cemen o GDPR equi emen s ac oss di e en ju isdic ions[12].
The COVID-19 pandemic has accele a ed adop ion o wo kplace moni o ing echnologies, aising new p i acy conce ns
add essed by Ienca and Vayena (2020). Thei esea ch sugges s ha eme gency public heal h measu es may ha e
las ing impac s on wo kplace p i acy no ms and egula o y in e p e a ion[2].
2.11. Li e a u e Syn hesis and Gaps
This comp ehensi e e iew e eals a apidly ma u ing ield o esea ch a he in e sec ion o HR managemen and da a
p o ec ion law. While ea ly li e a u e ocused p ima ily on compliance mechanics, ecen schola ship inc easingly
add esses b oade ques ions o o ganiza ional cul u e, employee empowe men , and he undamen al ans o ma ion
o HR p o essional p ac ice.
Howe e , se e al signi ican gaps emain in he li e a u e. Long- e m longi udinal s udies examining he sus ained
impac o GDPR compliance p og ams a e limi ed. C oss-cul u al esea ch compa ing GDPR implemen a ion ac oss
di e en o ganiza ional and na ional con ex s emains spa se. Addi ionally, employee pe spec i es on wo kplace
p i acy p o ec ion ecei e insu icien a en ion ela i e o o ganiza ional compliance conce ns.
The li e a u e also e eals limi ed a en ion o small and medium-sized en e p ise con ex s, wi h mos esea ch ocusing
on la ge mul ina ional o ganiza ions wi h dedica ed compliance esou ces. This gap is pa icula ly signi ican gi en ha
SMEs ep esen he majo i y o Eu opean employe s and may ace dis inc compliance challenges.
Fu he mo e, he in e sec ion o GDPR wi h eme ging echnologies such as a i icial in elligence, blockchain, and
In e ne o Things de ices in wo kplace con ex s equi es mo e sys ema ic schola ly a en ion. As hese echnologies
become inc easingly p e alen in HR ope a ions, unde s anding hei p i acy implica ions becomes inc easingly
c i ical.
2.12. Conclusion
The schola ly li e a u e demons a es ha GDPR has undamen ally ans o med he ela ionship be ween HR unc ions
and da a p o ec ion, equi ing HR p o essionals o de elop new compe encies and adop new app oaches o employee
da a managemen . While signi ican p og ess has been made in unde s anding compliance equi emen s and
de eloping implemen a ion amewo ks, impo an ques ions emain abou he long- e m e ec i eness o hese
app oaches in p o ec ing employee p i acy while enabling e ec i e HR ope a ions.
This li e a u e e iew es ablishes he ounda ion o he cu en esea ch by iden i ying key heo e ical amewo ks,
empi ical indings, and p ac ical challenges ha shape con empo a y HR-GDPR implemen a ion e o s. The e idence
sugges s ha success ul GDPR compliance in HR con ex s equi es mo e han echnical adhe ence o egula o y
equi emen s—i demands undamen al shi s in o ganiza ional cul u e, p o essional p ac ice, and s akeholde
ela ionships.
3. Me hodology
This s udy adop s a quali a i e-desc ip i e esea ch design o explo e how Human Resou ce (HR) depa men s align
wi h he Gene al Da a P o ec ion Regula ion (GDPR) in managing employee da a. The objec i e is o unde s and he
s uc u al, p ocedu al, and echnological adap a ions made wi hin HR sys ems o mee GDPR equi emen s, and o
iden i y bes p ac ices and compliance gaps. This me hodology is oo ed in in e p e i e esea ch p inciples, aiming o
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 27(02), 717-730
724
gene a e nuanced insigh s om o ganiza ional beha io s, policy implemen a ions, and p o essional p ac ices a he
han measu e a iables h ough expe imen al o s a is ical echniques.
To achie e a comp ehensi e unde s anding o he HR–GDPR in e ace, a mul i-phase me hodology was de eloped. The
i s phase in ol ed a sys ema ic e iew and analysis o seconda y da a sou ces, including company policy documen s,
GDPR compliance amewo ks, HR audi epo s, and publicly a ailable da a p o ec ion impac assessmen s (DPIAs)
ac oss di e se indus ies. O ganiza ions we e selec ed based on hei size, global each, and public s a emen s ega ding
GDPR compliance. The da a collec ion p io i ized ins i u ions wi h ma u e HR digi al in as uc u es and hose ha ha e
unde gone GDPR- ela ed audi s o p i acy e o ms since 2018. Pa icula ocus was placed on sec o s hea ily elian
on sensi i e da a handling—such as heal hca e, inance, and echnology.
The second phase inco po a ed in-dep h expe in e iews wi h HR p o essionals, compliance o ice s, da a p o ec ion
o ice s (DPOs), and legal ad iso s in ol ed in GDPR alignmen wi hin hei o ganiza ions. These in e iews we e semi-
s uc u ed, allowing pa icipan s he lexibili y o elabo a e on hei expe iences, while ensu ing ha c i ical opics such
as da a collec ion, consen managemen , c oss-bo de da a ans e , employee su eillance, and b each no i ica ion
p ocedu es we e ho oughly co e ed. A pu posi e sampling s a egy was used o ensu e he inclusion o indi iduals
wi h di ec esponsibili y o e GDPR ope a ionaliza ion in HR unc ions. Each in e iew las ed be ween 45 o 90
minu es and was eco ded and ansc ibed o quali a i e con en analysis [12].
Da a om bo h phases we e iangula ed o iden i y ecu ing pa e ns, con adic ions, and inno a i e p ac ices. A
hema ic coding app oach was employed o analyze in e iew ansc ip s and o ganiza ional documen s. Codes we e
gene a ed bo h deduc i ely—based on GDPR a icles and da a p o ec ion p inciples—and induc i ely, eme ging om
he esponses and documen a ion. Themes such as “policy adap a ion,” “employee consen ,” “HR-IT collabo a ion,”
“da a minimiza ion p ac ices,” and “compliance cul u e” we e de eloped o syn hesize indings.
E hical conside a ions we e cen al o he me hodology. All pa icipa ing p o essionals p o ided in o med consen p io
o in e iews. To ensu e con iden iali y and da a p o ec ion, no eal company names o indi idual iden i ies a e
disclosed in he s udy. Mo eo e , all o ganiza ional ma e ials used o analysis we e publicly a ailable o sha ed wi h
explici pe mission by pa icipan s. Da a s o age and analysis we e conduc ed on secu e sys ems, complying wi h
esea ch da a go e nance s anda ds. The me hodology is designed o cap u e he complexi y o GDPR compliance
wi hin HR om mul iple pe spec i es—legal, echnological, p ocedu al, and e hical. By ocusing on quali a i e e idence
and eal-wo ld p ac ices, his s udy aims o o e no only heo e ical insigh s bu also ac ionable ecommenda ions o
HR depa men s seeking o na iga e he e ol ing landscape o da a p o ec ion law [13].
4. S udy Design o Demons a ing Resul s and Discussion
To e ec i ely demons a e he applica ion o GDPR wi hin HR p ac ices, his s udy ocuses on a mul i-case compa a i e
analysis o h ee mid- o-la ge o ganiza ions ac oss di e en sec o s—heal hca e, inance, and IT se ices—ope a ing
wi hin he Eu opean Economic A ea (EEA). These o ganiza ions we e selec ed due o hei public documen a ion o
GDPR compliance e o s and he high sensi i i y o employee da a hey handle.
The s udy e alua es he implemen a ion o key GDPR p inciples in HR ope a ions using i e c i ical indica o s:
• Da a collec ion and consen mechanisms,
• Employee moni o ing p ac ices,
• Da a e en ion policies,
• C oss-bo de da a ans e p o ocols, and
• Employee awa eness and aining p og ams.
Each o ganiza ion was assessed agains hese indica o s using a mix o documen analysis, anonymized compliance
epo s, and expe in e iews. A s anda dized e alua ion ub ic was applied, sco ing p ac ices on a quali a i e scale:
Non-complian , Pa ially Complian , Fully Complian , based on he p esence, consis ency, and documen ed e idence o
GDPR-con o man p ac ices [14].
The indings e ealed clea di e ences in he ma u i y o GDPR compliance ac oss he h ee o ganiza ions. The IT
se ices company demons a ed ull compliance in all i e indica o s, pa icula ly in he use o au oma ed consen ools
and secu e da a ans e in as uc u e. Thei HR sys em was in eg a ed wi h enc yp ion echnologies and p o ided
eal- ime access con ols o da a subjec eques s. In con as , he heal hca e o ganiza ion showed pa ial compliance,
pa icula ly s uggling wi h da a e en ion p ac ices and employee su eillance anspa ency. While hey had s ic
Wo ld Jou nal o Ad anced Resea ch and Re iews, 2025, 27(02), 717-730
725
pa ien da a p o ocols, HR da a managemen was less igo ously go e ned. The inancial ins i u ion also showed pa ial
o ull compliance, pa icula ly s ong in audi ail gene a ion and con ac ual da a handling, bu weake in employee
awa eness and aining e o s [15].
A de ailed example eme ged om he IT company’s onboa ding sys em: each new hi e is p esen ed wi h an in e ac i e
p i acy consen o m, which explici ly ou lines wha da a is collec ed, o wha pu pose, and how long i will be s o ed
[16]. Employees can choose o op -in o op ional da a collec ion (e.g., wellness p og ams, pe o mance acking) wi hou
a ec ing hei employmen . The sys em also allows employees o modi y hei p e e ences a any ime—a p ac ical
embodimen o GDPR’s igh o wi hd aw consen and igh o be in o med.
Table 1 Summa izes he compliance pe o mance ac oss he o ganiza ions
GDPR Indica o
Heal hca e O g
Finance O g
IT Se ices O g
Da a Collec ion & Consen
Pa ial
Full
Full
Employee Moni o ing
Non-complian
Pa ial
Full
Da a Re en ion
Non-complian
Pa ial
Full
C oss-bo de Da a T ans e
Pa ial
Full
Full
Employee T aining & Awa eness
Pa ial
Pa ial
Full
5. Discussion
The esul s unde sco e he impo ance o ins i u ional commi men , esou ce alloca ion, and c oss-depa men al
collabo a ion in achie ing GDPR compliance wi hin HR. O ganiza ions ha ea GDPR as a s a egic p io i y— a he
han a legal checkbox— end o implemen mo e holis ic and sus ainable compliance amewo ks. The IT se ices
company exempli ies his by embedding GDPR unc ionali y di ec ly in o HR so wa e and p io i izing employee
engagemen in da a p i acy ini ia i es. Thei p ac ices e lec an unde s anding ha compliance is no s a ic bu mus
e ol e wi h bo h egula ion and echnological change [17].
In con as , he heal hca e o ganiza ion’s gaps illus a e he pi alls o une en policy applica ion. Al hough da a
p o ec ion in clinical se ings was obus , HR sys ems we e ou da ed, and s a lacked adequa e aining in handling
employee da a. This e eals a compa men alized app oach o compliance, whe e legal obliga ions a e ul illed in some
a eas bu neglec ed in o he s [18]. The inance o ganiza ion ep esen s a ansi ional case, ha ing in es ed in legal
compliance bu s ill acing cul u al esis ance in e ms o s a awa eness and anspa ency in su eillance mechanisms.
The discussion highligh s ha while GDPR se s uni o m egula o y expec a ions, i s p ac ical implemen a ion in HR is
con ex -dependen . Sec o al di e ences, echnological in as uc u e, and o ganiza ional cul u e all in luence how
e ec i ely p inciples such as anspa ency, accoun abili y, and pu pose limi a ion a e ealized. Fu he mo e, p oac i e
p ac ices—like p i acy-by-design sys ems, egula in e nal audi s, and employee consen dashboa ds—eme ge as
c i ical success ac o s. This s udy demons a es ha GDPR can be ope a ionalized in HR no jus o a oid penal ies, bu
o build a mo e e hical, anspa en , and us -based wo k en i onmen [19]. The compa a i e analysis shows ha e en
wi hou massi e esou ce in es men s, aligning HR sys ems wi h GDPR p inciples is achie able h ough a ge ed
in e en ions and policy cohe ence. The indings also poin o he impo ance o con inuous adap a ion, as new h ea s
and in e p e a ions o da a p i acy con inue o eme ge in he e ol ing digi al wo kplace.
6. Resul s
This sec ion p esen s he de ailed quan i a i e and analy ical esul s o he s udy h ough GDPR compliance e alua ion
in Human Resou ce Managemen (HRM) ac oss h ee indus ies: heal hca e, inance, and IT se ices [20]. The
compliance was measu ed ac oss i e dimensions using a cus omized GDPR-HR Compliance Index (GHRCI), which
quan i ies o ganiza ional alignmen wi h GDPR s anda ds on a 0 o 1 scale. To ensu e scien i ic igo , he compliance
sco e was compu ed using weigh ed c i e ia and agg ega ed h ough no maliza ion, inco po a ing bo h objec i e
e idence (policy documen s, sys em audi s) and subjec i e expe inpu (in e iews, DPIA eco ds).