HR data compliance under GDPR, CCPA, and global privacy laws requires nine concrete steps: map your data, apply the right legal basis, restrict access, automate deletions, audit vendors, build breach protocols, document processing activities, train your team, and wire compliance into every new workflow before it goes live.

Privacy regulators do not grade on a curve. A €20M GDPR fine, a California AG enforcement action, or a CCPA class action lands the same way whether your HR team has 2 people or 200. The difference between the companies that get hit and the ones that don’t is almost always operational — not intentional. Bad data hygiene is the problem. Structured process is the fix.

These nine steps give you a working compliance framework for HR data — one you execute, not just audit against once a year.

1. Map Every HR Data Point Before You Do Anything Else

You cannot protect data you don’t know you have. Start with a full inventory: every field collected during recruiting, onboarding, employment, and offboarding. Include HRIS records, spreadsheets, email archives, performance tools, benefits portals, and any Make.com scenario that touches employee data.

Group each field by category: identifying information, sensitive data (health, biometric, financial), behavioral data (keystrokes, GPS, productivity scores), and employment data (salary, performance ratings, disciplinary records). That categorization determines which legal protections apply and how long you retain each type.

This is the same discovery work an OpsMap™ surfaces before any automation engagement. Without the map, every compliance decision downstream is a guess.

2. Understand Which Laws Actually Apply to Your Workforce

GDPR applies to any employee data you process if the employee is based in the EU — regardless of where your company is headquartered. CCPA and CPRA apply to California employees. Canada has PIPEDA. Brazil has LGPD. The UK operates its own post-Brexit version of GDPR. Multiple US states now layer on their own privacy frameworks.

Get a current legal opinion on your specific jurisdictions. Then map that opinion back to your HR data inventory. The goal is a single document that shows which law governs each data category, what the legal basis for processing is, and how long retention is permitted.

Do not assume your HRIS vendor has done this work for you. They built compliant infrastructure. They did not build a compliance program for your specific workforce configuration.

3. Lock Down Access With Role-Based Permissions

Most HR data breaches don’t come from hackers. They come from over-permissioned internal users — managers who see everyone’s salary, recruiters with access to active employee records, IT admins with standing access to benefits data they never touch.

Audit your HRIS access levels now. Every role gets access to exactly what it needs — nothing more. Performance data stays with direct managers and HR. Compensation data stays with compensation and executive. Benefits data stays with benefits admins and the employee themselves.

Then change your HRIS configuration defaults to enforce least-privilege by default. Most systems default to broad access and require manual restriction. Flip that default before your next hire.

4. Establish the Legal Basis for Every Type of Processing

Under GDPR, every processing activity requires a legal basis. The six options are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. HR data almost never runs on consent — employees aren’t truly free to say no to their employer. That means you’re running on contract, legal obligation, or legitimate interests for the vast majority of processing.

Document it. For each data category in your inventory, write down the legal basis, what the processing accomplishes, and why that basis holds. Legitimate interests requires a balancing test — document that test too.

Under CCPA, the disclosure obligation is different. California employees have the right to know what you collect, the right to delete, and under CPRA the right to correct. Build your HR data disclosures into onboarding paperwork as a standalone notice signed before day one — not buried inside a handbook.

5. Automate Deletion Schedules for Terminated Employees

Retention schedules are compliance table stakes — but most HR teams manage them manually, which means they don’t manage them at all. A termination happens, the file sits in the HRIS, and three years later you’re still holding data you had to delete 18 months ago.

Build this in Make.com. When an employee is terminated, a scenario fires: it logs the termination date, calculates the retention deadline by jurisdiction and data category, creates a calendar task for the compliance team, and queues a deletion workflow for the day the clock runs out. No manual tracking. No missed deadlines.

The same approach non-technical HR teams use to build their own automations applies here — you don’t need a developer to set this up.

6. Audit Every Vendor That Touches Employee Data

Your ATS, background check vendor, benefits broker, payroll processor, and learning management system — every one of them is a data processor under GDPR. That means you need a signed data processing agreement (DPA) in place with each one.

Pull your current vendor list. For every vendor that receives employee data, confirm three things: Is there a signed DPA? Does it cover the data categories you actually share? Is the vendor certified under the EU-US Data Privacy Framework if data crosses the Atlantic?

If you use Make.com to send employee data to third-party systems via API, those connections are also in scope. Document every integration endpoint that receives personally identifiable information and confirm each has a corresponding vendor agreement.

7. Build a Breach Response Protocol Before You Need It

GDPR requires breach notification to your supervisory authority within 72 hours of discovery — not 72 hours after you’ve finished investigating, 72 hours after discovery. That clock is fast. CCPA has its own notification requirements. So does every US state with a breach notification law.

Write your protocol now. It needs: a clear definition of what constitutes a breach, a named person responsible for the 72-hour clock, a template notification for regulators, a template for employee notification, and an incident log for tracking every event.

Then run a tabletop exercise. Pick a realistic scenario — an HR manager’s laptop is stolen, or a Make.com scenario misfires and routes salary data to the wrong Slack channel — and walk through the protocol step by step. Find the gaps before a real breach exposes them.

8. Document Your Records of Processing Activities

Article 30 of GDPR requires most organizations to maintain a Record of Processing Activities (RoPA). It’s not optional, and “we’re too small” doesn’t exempt you if you process special categories of data — health, disability, and biometric data all qualify.

A RoPA is a living document listing every processing activity, the legal basis, the data categories involved, who receives the data, where it’s stored, how long it’s retained, and what security measures protect it. Most HR teams have never built one.

Build it in a Google Sheet or Airtable, connect it to your HR data inventory, and assign an owner to update it every time a new vendor or process is added. The same triage logic that surfaces your biggest HR risks applies here — start with your highest-risk data categories and work down the list.

9. Wire Compliance Into Every New HR Workflow From Day One

The most expensive compliance problems come from systems built without compliance in mind that need to be retrofitted after launch. Every new hiring workflow, every new performance process, every new benefits integration — compliance requirements go in at design time, not after go-live.

Ask three questions before any new HR process launches: What data does this collect? What’s the legal basis for collecting it? How does it get deleted when it’s no longer needed? If you can’t answer all three, the process isn’t ready.

For small HR teams running lean, build a one-page compliance checklist that any process owner completes before launch. It takes 15 minutes upfront and saves months of remediation later.

Compliance Is an Operational System, Not an Annual Event

GDPR, CCPA, and global privacy law don’t have a finish line. Regulators update guidance. New state laws pass. Your workforce moves across jurisdictions. Vendors get acquired. What’s compliant today needs a review next year.

The teams that stay compliant aren’t the ones with the biggest legal budgets. They’re the ones that treated compliance as an operational system — documented, automated where it makes sense, and owned by a named person with actual authority to enforce it.

If your HR operation inherited data practices you didn’t build and aren’t sure you can defend, start with the triage. Map what you have, find the gaps, and close the highest-risk ones first. That’s the same logic we apply whether we’re fixing broken HR operations or building compliant automation on top of a foundation that was already solid.