Global HR systems that process EU or Chinese employee data operate under two separate legal frameworks — GDPR and PIPL — with distinct rules on consent, cross-border transfers, and retention. These nine compliance requirements cover every HR operation handling employee personal data across those jurisdictions, with automation steps that enforce compliance without manual follow-through.

GDPR has been enforceable since 2018. China’s Personal Information Protection Law took effect in November 2021. Both frameworks apply to any organization with employees, contractors, or applicants located in those regions — and both impose penalties steep enough to create material business risk. Fines under GDPR reach €20 million or 4% of global annual turnover, whichever is higher. PIPL fines reach ¥50 million or 5% of annual revenue.

Most HR teams have some compliance pieces in place and significant gaps elsewhere. This list covers all nine requirements and sequences them in the order that actually makes sense to work through.

1. Map Every Employee Data Flow Before You Configure Anything

You cannot protect data you haven’t located. Before updating a privacy notice, configuring a workflow, or reviewing a vendor agreement, document where employee personal data lives, where it moves, and who has access to it.

That inventory includes your HRIS, payroll processor, benefits carriers, background check vendor, ATS, and any Make.com scenarios that route employee data between systems. For each data category — names, national IDs, health records, financial data, biometrics — log the source, destination, retention period, and the legal basis for processing it.

The OpsMap™ discovery process runs this exercise before any automation build. The same principle applies to compliance work: map first, build second. Your privacy notices, your ROPA, and your DSAR responses are only as accurate as the data inventory they’re built on.

2. Assign the Correct GDPR Lawful Basis to Each HR Data Category

GDPR requires a documented lawful basis for every processing activity. HR operations use several — and most teams apply the wrong one to at least one category, which invalidates that entire processing stream.

The three bases that apply most directly to employment data:

• Contract — processing necessary to perform the employment contract, such as payroll and benefits administration
• Legal obligation — processing required by law, such as tax records and right-to-work verification
• Legitimate interests — processing for business purposes where the employee’s rights don’t override those interests, such as internal directories and performance documentation

Consent is the fourth option HR teams reach for most often — and the one regulators scrutinize most closely. Employees have limited ability to give freely-given consent given the inherent power imbalance in employment relationships. Use consent only for processing activities that are genuinely optional and where withdrawal carries no employment consequence.

For special category data — health records, biometrics, disability status, union membership, racial or ethnic origin — you need both a standard lawful basis and a separate Article 9 condition. Employment law or explicit consent are the most common qualifying conditions. Document both for each data category before your next audit cycle.

3. Understand PIPL’s Cross-Border Transfer Requirements for Chinese Employee Data

PIPL applies to any organization processing personal information of individuals located in China — including employees, contractors, and job applicants. If your HRIS syncs data to servers outside China and you have workers in country, PIPL governs that transfer.

The cross-border transfer requirements depend on the volume and sensitivity of data transferred:

• Security assessment — required for large-volume transfers or transfers of sensitive personal information; filed with the Cyberspace Administration of China (CAC)
• Standard contract — CAC-approved template required for smaller-volume transfers not subject to security assessment
• Certification — an alternative route through an accredited certification body for organizations meeting specific criteria

PIPL treats the following categories as sensitive personal information: financial data, biometrics, health and medical records, location tracking data, and personal information of minors. HR systems process at least one of these categories for most employee populations in China.

Unlike GDPR, PIPL has no legitimate interests basis. Every processing activity requires consent, contractual necessity, a legal obligation, an emergency exception, or another listed ground. That structural difference forces a different approach to data collection workflows for Chinese employees compared to EU employees — and most HR teams haven’t built separate workflows to account for it.

4. Build Consent Capture and Withdrawal Workflows That Run Without Manual Intervention

Consent records only matter if you can prove them. A checkbox in an onboarding PDF stored in someone’s email archive does not hold up in an enforcement action. PIPL’s evidentiary requirements are stricter than GDPR’s — the burden is on the data controller to demonstrate consent was obtained correctly.

Build consent capture in Make.com so every record is timestamped, stored, and searchable. The workflow should:

• Trigger on onboarding form submission
• Write a consent record to a dedicated table with the employee ID, consent type, date, version of the privacy notice shown, and the channel used to collect it
• Send a confirmation email with a plain-language summary of what the employee agreed to
• Create a task to review and re-obtain consent whenever the privacy notice is updated

Withdrawal automation matters equally. When an employee withdraws consent for a non-essential processing activity, Make.com should flag affected systems, pause the relevant workflows, and generate a timestamped withdrawal record. The gap between withdrawal and actual cessation of processing is where enforcement actions originate.

For teams building these flows from scratch, the non-technical HR automation guide covers the Make.com setup without requiring a developer.

5. Configure Data Retention Schedules in Your HRIS — and Enforce Them

Both GDPR and PIPL require data minimization: personal data is kept only as long as necessary for the purpose it was collected. Most HRIS platforms include retention configuration settings. Most HR teams have never opened them.

Start with a retention matrix that lists each data category, the legal or business retention requirement, and the action taken when the period expires — deletion, anonymization, or transfer to archive. Common categories and their retention drivers:

• Payroll records — 7 years for US federal tax purposes; 6 years under HMRC rules; variable by EU member state, with most falling between 3 and 10 years
• I-9 and right-to-work documents — 3 years from hire date or 1 year after termination, whichever is later (US); equivalent checks under UK and EU rules have separate timelines
• Health and disability records — stored separately from personnel files; jurisdiction-specific rules apply and legal review is required before setting retention periods
• Recruitment data for unsuccessful candidates — 6 months to 1 year is standard in the EU; document your basis if you retain beyond that window

Configure retention periods in your HRIS, then build a Make.com scenario that runs monthly, queries records approaching their end date, and routes them to the appropriate action — deletion request, legal hold review, or manager notification. Required field validation catches entry errors; automated retention enforcement catches the expiration failures that manual processes miss entirely.

6. Automate Your DSAR Response Pipeline

A Data Subject Access Request gives employees the right to know what personal data you hold, why you hold it, who you’ve shared it with, and how long you’ll keep it. GDPR gives you 30 calendar days to respond. PIPL gives you 15 days. Both frameworks allow for extension in complex cases, but the clock starts from the date of receipt.

Manual DSAR handling — HR emails IT, IT pulls records, someone compiles a document, it sits in a queue — produces inconsistent results and blows timelines. A Make.com pipeline addresses all of that.

A functional DSAR workflow in Make.com:

• Trigger: Form submission or inbound email parsed via webhook
• Step 1: Verify the requester’s identity against your HRIS before touching any records
• Step 2: Pull the employee’s data record from your HRIS via API
• Step 3: Query connected systems — payroll, benefits, ATS — for records held outside the HRIS
• Step 4: Compile and format the full data package into a structured document
• Step 5: Route to HR for review before any response leaves the organization
• Step 6: Log the request date, response date, and outcome in your compliance record

The human review step before sending is non-negotiable. Automate the data gathering; keep a qualified person on the final package. That combination cuts response time from days to hours without removing the judgment layer that DSARs require.

7. Collect Signed Data Processing Agreements From Every Vendor Handling Employee Data

GDPR Article 28 requires a written Data Processing Agreement (DPA) with every processor that handles personal data on your behalf. PIPL has an equivalent requirement for entrusted processors. Both require that the contract specify the purpose of processing, the types of data involved, the security measures in place, and the procedures for handling subject requests.

Vendors that require DPAs in a standard HR tech stack: your HRIS, payroll processor, benefits administration platform, ATS, background check provider, and any Make.com-connected services that receive employee personal data as part of your workflows.

For each vendor in your stack:

• Confirm a signed DPA exists for your account — not just a generic policy page on their website
• Verify it covers the specific processing activities you’re using them for
• Check that sub-processor provisions are included — most enterprise HR vendors use sub-processors, and your DPA needs to cover that downstream chain
• Log the review date and set a calendar reminder to update when processing activities change

Most major HR platforms have DPA templates available through their legal or privacy teams. Request them directly. Do not assume they’re in place because you signed a master services agreement or terms of service.

8. Build and Maintain a Record of Processing Activities

Article 30 of GDPR requires organizations with 250 or more employees — or any organization that regularly processes sensitive personal data — to maintain a Record of Processing Activities (ROPA). PIPL requires comparable documentation as part of its personal information protection impact assessment framework for processors handling sensitive data or conducting large-scale processing.

A ROPA documents, for each processing activity:

• The name and contact details of the data controller and, where applicable, the data protection officer
• The purposes of processing
• The categories of data subjects and personal data involved
• The categories of recipients, including processors and third-country transfers
• The safeguards applied to any cross-border transfers
• Retention periods for each data category
• A general description of the technical and organizational security measures in place

The ROPA is a living document. Every new system added, every processing activity changed, every new vendor onboarded requires an update. Assign one owner — HR, Legal, or a designated privacy officer — with a quarterly review cadence built into their calendar.

The OpsMesh™ framework treats documentation as operational infrastructure, not compliance theater. The ROPA fits that model: it’s the source of truth for your entire compliance posture, and every other control in this list depends on it being accurate.

9. Run Quarterly Compliance Audits With Automated Evidence Collection

Privacy compliance doesn’t have an end date. Enforcement actions arrive years after violations. The defense that holds up is documentation showing active, ongoing compliance — not a one-time configuration exercise from 2022.

Build a quarterly audit workflow in Make.com that:

• Pulls active employee records and cross-references them against your consent log to surface any missing or expired consent records
• Checks open DSAR requests against their response deadline and flags any that are overdue
• Queries your vendor DPA tracker for agreements expiring in the next 90 days
• Generates a compliance summary report and routes it to HR leadership
• Creates a task in your project management system for any item requiring human follow-up

Log every audit run with a timestamp, the scope covered, and the findings. That audit log is your evidence trail for regulatory inquiries, acquirer due diligence, and client security reviews — all of which ask the same question: show us your compliance program is operational, not just documented.

The Make MCP for HR teams cuts the build time on these audit workflows significantly. The compliance logic — what to check, what thresholds trigger action, what a defensible record looks like — is the work. The automation is the execution layer.

Work Through These in Order

If you’re starting from zero, the sequence matters. Data mapping comes first because everything downstream — lawful basis determinations, the ROPA, retention schedules, DSAR responses — depends on knowing what data you actually process. Vendor agreements and consent workflows run in parallel once the inventory is complete. Audit infrastructure comes last, after the core compliance processes are operational.

If compliance work is already underway, use this list as a gap audit. The pattern across most HR teams: documentation requirements are covered, operational enforcement is not. Retention schedules configured but never tested. DPAs in place but not reviewed since onboarding. DSARs handled via email thread with no consistent process or audit trail.

The automation layer closes enforcement gaps the same way it closes operational gaps. HR operations running on manual processes break under compliance pressure exactly as they break under workload pressure — and the fix is identical: systematize the repeatable work so your team can focus on the judgment calls that require a human.