GDPR Right to Rectification: Rules for HR Data Accuracy

GDPR Article 16 is one of the most operationally demanding rights in the regulation — and one of the most underbuilt in practice. Most HR teams have a process for handling subject access requests. Far fewer have a documented, end-to-end workflow for rectification: intake, verification, correction, downstream propagation, and auditable response. That gap is a compliance liability. This guide closes it.

Rectification sits at the intersection of your HR data compliance framework and your day-to-day data operations. Getting it right is not optional — and getting it wrong compounds every automated decision that follows. Before diving into the steps, review the GDPR Article 5 data processing principles that make accuracy a baseline legal obligation, not just a best practice.

Before You Start

A rectification workflow only works if its prerequisites exist. Audit these before building the process:

  • Data map: You need a complete inventory of every system that holds employee personal data — HRIS, payroll, ATS, benefits portal, learning management, access control. Correcting one record without knowing where copies live is partial compliance at best.
  • Data Subject Request (DSR) register: A log to record every incoming rectification request, the action taken, and the date of response. This is your audit evidence.
  • Designated owner: Assign a named individual or function (typically HR Operations or the DPO) responsible for receiving and triaging rectification requests. Anonymous inboxes cause delays that breach the one-month deadline.
  • Processor contracts: Confirm that agreements with third-party vendors include provisions requiring them to correct data within a timeframe that allows you to meet your GDPR obligations.
  • Time budget: Build in buffer. One month sounds long until you account for verification, system access, approvals, and employee notification. Treat Day 25 as your internal deadline.

Step 1 — Establish a Clear, Accessible Intake Channel

Employees cannot exercise a right they cannot find. Your rectification request channel must be documented, promoted, and consistently monitored.

Create a single, named intake channel — a dedicated email address, a form in your HR portal, or a formal section within your employee self-service system. Publicize it in your employee privacy notice, your onboarding materials, and your internal HR policies. Every employee should be able to answer “How do I ask HR to correct my data?” without having to search.

At intake, collect:

  • The employee’s name and employee ID
  • The specific data they believe is inaccurate or incomplete
  • The correct data they are requesting to be substituted
  • Any supporting documentation they can provide (bank statements, certificates, updated address documentation)

Log the request in your DSR register the same day it arrives. The GDPR clock starts from receipt, not from when you begin processing it. Send an automated or templated acknowledgment to the employee confirming you have received the request and stating the expected response date.

Step 2 — Verify the Identity of the Requestor

Before acting on any rectification request, confirm the requestor is who they claim to be. This step protects the employee whose data you hold — correcting data on the instruction of an unauthorized party is itself a data breach.

For internal employees, identity verification is typically straightforward: cross-reference the request against the employee’s work email, employee ID, or authenticated HR portal login. For former employees submitting requests post-termination, require additional verification such as a copy of a government-issued ID or the last four digits of their employee ID combined with a former work email confirmation.

Document the verification step in your DSR register. Note what was verified and how. If identity cannot be confirmed, do not process the request — communicate the issue to the requestor in writing and explain what documentation is needed.

Step 3 — Assess the Validity of the Rectification Claim

Not every request results in a correction. HR must make a documented determination about whether the data is genuinely inaccurate, incomplete, or simply disputed on subjective grounds.

Three categories require different responses:

  • Factual error: The data was always wrong — a transposed digit in a bank account number, a misspelled name, an incorrect date of birth. Correct it. Document the source of the error if known.
  • Changed circumstance: The data was accurate when collected but is now outdated — an old home address, a changed bank account, a name change following marriage. Correct it. Note the effective date of the change.
  • Disputed opinion or judgment: The employee disputes a performance rating, a manager’s documented assessment, or a disciplinary record that reflects accurately documented events. This is not a factual error. The appropriate resolution is to attach a supplementary statement from the employee to the record — not to alter the original data. Communicate this clearly to the employee in writing.

If the claim is valid, proceed to Step 4. If you are refusing the request — in whole or in part — document your reasoning thoroughly. You have one month from receipt to communicate a refusal in writing, including the employee’s right to complain to a supervisory authority.

Step 4 — Correct the Data Across All Systems

This is the most commonly incomplete step in HR rectification workflows. Correcting the HRIS record and closing the ticket is not compliance. It is the beginning of compliance.

Pull your data map from the prerequisites step. For every system that holds a copy of the data being corrected, execute the correction. This typically includes:

  • Core HRIS (source of record)
  • Payroll system
  • Benefits administration platform
  • Applicant tracking system (if the employee’s pre-hire record is still retained)
  • Learning management system
  • Access control or identity management systems
  • Any third-party processors identified in your vendor contracts

For third-party processors, issue a formal correction instruction in writing and record it. Their contract should require them to confirm completion within a defined timeframe. The essential HR data security practices your vendor agreements must enforce include exactly this type of processor accountability.

Gartner’s data governance research consistently identifies incomplete propagation — correcting a master record without updating downstream copies — as the leading cause of data integrity failures in enterprise HR environments. Build propagation confirmation into your rectification checklist before marking any request resolved.

Step 5 — Notify Third Parties of the Correction

GDPR Article 19 requires that, where a controller has disclosed personal data to third parties, they must communicate any rectification to each recipient — unless doing so is impossible or involves disproportionate effort. In HR, this is rarely disproportionate. Your vendor relationships are documented, and the correction instruction is a standard communication.

Identify every third party that received the now-corrected data. Issue correction notifications to:

  • Payroll bureaus or outsourced payroll providers
  • Benefits insurers or brokers who received the affected data
  • Pension administrators
  • Background screening vendors who retain pre-hire records (subject to your HR data retention policy)
  • Any government bodies notified using the original data (e.g., tax authorities with incorrect NI or SSN information)

Log each notification in your DSR register: recipient name, date sent, and confirmation of receipt where obtainable. If an employee requests a list of third parties to whom their corrected data was communicated, you are obligated under Article 19 to provide it.

Step 6 — Respond to the Employee in Writing

Close every rectification request with a formal written response to the employee. This is not optional, and a verbal confirmation does not satisfy GDPR’s documentation requirements.

The written response must include:

  • Confirmation that the correction has been made (or a clear explanation of why it was refused)
  • A description of the data that was corrected and in which systems
  • The date on which corrections were completed
  • For partial corrections or refusals: the specific reason, and information about the employee’s right to complain to the relevant supervisory authority (e.g., the ICO in the UK, or the lead supervisory authority under GDPR)

Send this response within one calendar month of the original request. If a two-month extension was necessary and notified, send the final response within that extended deadline without fail. Record the date sent in your DSR register and retain the response document.

Step 7 — Update Your DSR Register and Close the Record

Once corrections are complete and the employee response is sent, finalize your DSR register entry. A complete record includes:

  • Date request received
  • Nature of the inaccuracy alleged
  • Verification method used
  • Determination made (correct, refuse, partial/supplementary statement)
  • Systems corrected and dates
  • Third parties notified and dates
  • Date of employee response
  • Any extension notifications sent and the reason for extension

This register is your primary defense during a regulatory audit. A supervisory authority investigating a complaint will ask to see this record. McKinsey’s research on organizational data governance identifies documentation completeness — not the absence of errors — as the distinguishing factor between organizations that pass regulatory reviews and those that face enforcement action. Run periodic HR data audits for compliance to verify your register is current and entries are complete.

How to Know It Worked

A compliant rectification process produces specific, verifiable outputs. Check these after every request:

  • Consistent data across systems: Pull the employee’s record from every system on your data map. The corrected data point should be identical across all of them.
  • Complete DSR register entry: Every field in the register is populated for the request. No blank fields in the resolution columns.
  • Written response on file: A copy of the response sent to the employee is retained and datestamped.
  • Third-party confirmation: At least an outbound notification to every relevant processor is logged; inbound confirmation is retained where received.
  • Deadline met: Response date minus receipt date is 30 days or fewer (or within the extended deadline with a documented extension notice).

Quarterly, review the DSR register in aggregate. Look for patterns: recurring data types that generate rectification requests (bank details, addresses, health records), recurring sources of error (manual data entry, system migration, vendor file imports). Patterns are process failures. Address the root cause, not just the individual requests.

Common Mistakes and How to Avoid Them

Correcting Only the Primary System

The most frequent rectification failure. HR updates the HRIS, marks the ticket resolved, and leaves the same wrong data in payroll, benefits, and the ATS. Every downstream system that ingests employee data at onboarding creates a copy. Each copy must be corrected. Build a system-by-system checklist into your standard operating procedure and make completion of that checklist the condition for closing any request.

Treating the Request as Closed Before the Employee Is Notified

Correcting the data without sending the written confirmation to the employee is a compliance failure even if the data is now accurate. The GDPR obligation includes communication. Do not close the DSR register entry until both the correction and the employee notification are complete.

Altering Documented Opinions or Performance Records

When an employee disputes a performance rating or disciplinary note, the instinct is sometimes to soften or revise the record to avoid conflict. Doing so on grounds other than factual inaccuracy undermines the integrity of your HR records, creates inconsistency in how ratings are applied, and sets a precedent that invites further challenges. The correct response is a supplementary statement. Document this boundary clearly in your rectification policy.

Missing the One-Month Deadline Without Notice

A late response with no extension notification is an automatic violation. If complexity or volume makes the one-month deadline unachievable, send the extension notification — and the reason — before Day 30. Calendar reminders at Day 20 and Day 25 for every open request are a minimum control.

Failing to Distinguish Rectification from Erasure

Some employees submit what they describe as a rectification request when they actually want data deleted — particularly for records of disciplinary proceedings or medical conditions. Rectification and erasure are separate rights with separate criteria. Do not process an erasure as a rectification. Review the right to erasure workflow for HR and route requests to the correct process.

No Proactive Data Quality Controls

A reactive-only rectification process means you are always behind inaccuracies that have already entered your systems. Inaccurate data flowing into automated HR tools — compensation models, performance scoring, scheduling systems — compounds before it is caught. Forrester’s research on data quality economics shows that the cost of correcting inaccurate data multiplies the longer it remains in operational systems. Implement self-service employee data review portals, conduct onboarding data verification steps, and run periodic data accuracy checks against your source of record. The goal is to build a data privacy culture in HR where accuracy is a continuous practice, not an emergency response.

Rectification and Automated HR Decision-Making

The interaction between rectification rights and automated HR tools deserves direct attention. As HR teams deploy algorithmic tools for shortlisting, compensation benchmarking, performance scoring, and scheduling optimization, the accuracy of the data those tools consume becomes a compliance input, not just a quality preference.

GDPR Article 22 governs automated decision-making and profiling. If an employee demonstrates that a decision significantly affecting them — a compensation outcome, a promotion decision, a shortlisting exclusion — was based on data they had already identified as inaccurate and submitted a rectification request for, the organization faces compounded liability. The rectification obligation and the automated decision-making safeguard reinforce each other: accurate inputs are the precondition for defensible automated outputs.

Practically, this means that when a rectification request is received, HR must assess whether the data in question is currently feeding any automated process. If it is, flag the active process to pause or flag the affected output for human review until the correction is made and propagated. This is not an edge case. Payroll data, job title classifications, and performance scores are among the most common inputs to HR analytics tools — and among the most common subjects of rectification requests.

For a broader view of how to build oversight into automated HR decision workflows, the parent pillar on HR data compliance covers the structural controls that make AI governance defensible.

Building Proactive Accuracy: Reducing Rectification Volume

The best rectification process is one that handles fewer requests because data accuracy is maintained proactively. SHRM research on HR technology adoption identifies self-service portals that allow employees to review and update their own demographic and contact data as one of the highest-ROI investments in HR data management — reducing administrative burden while improving data quality simultaneously.

Implement these upstream controls to reduce inbound rectification volume:

  • Onboarding data verification: Have employees confirm the accuracy of their own records within the first 30 days of employment, before that data is propagated to downstream systems.
  • Annual data accuracy review: Prompt all employees once per year to review and flag their personal data held in the employee self-service system. Treat flagged items as informal rectification requests and resolve them through your standard workflow.
  • Data entry automation: Where HR data moves between systems, use automated transfers rather than manual re-entry. Parseur’s research on manual data entry costs identifies transcription error as the primary driver of data inaccuracy in administrative workflows — the same mechanism that produces the $27K payroll error David experienced when ATS-to-HRIS data was re-entered manually.
  • Integration validation rules: Configure your HRIS integrations to flag data that fails format validation — impossible dates, non-numeric fields in numeric columns, duplicate employee IDs — at the point of entry rather than after the data has propagated.

An HR data privacy audit conducted annually will surface systemic data quality issues before they generate rectification requests at scale. Treat the audit findings as process improvement inputs, not compliance checkboxes.