The forgotten frontline: Why HR and recruitment deserve a place in every privacy conversation

Every organization wants to be trusted by consumers. But how many stop to ask whether their own employees can trust them?

When organizations think about the EU General Data Protection Regulation and data protection, attention is often focused on service users or customers. Yet, beyond the health care sector, one department quietly holds the most sensitive information of all — human resources. 

Too often, that sensitive information is treated as an afterthought. To change that, we need to be willing to question, challenge and inspire — and that starts with culture. 

Organizations with mature data protection programs often overlook their own employees. This is not a finger pointing exercise. We are all human. We make assumptions and focus on what feels most urgent, especially when juggling priorities. 

Highest-risk data 

I have been teaching courses on data protection in HR and recruitment in recent months, a topic that feels natural to me as a former HR manager turned data protection professional. Many attendees come from organizations that pride themselves on compliance and trust. They often have implemented privacy notices for customers and other mechanisms required under the EU General Data Protection Regulation, but when I ask about employee or candidate data, there is a pause.

It is rarely deliberate neglect, but rather an organizational blind spot. HR can be seen as separate from the rest of the compliance effort, yet this is where some of the highest-risk data lives.

Employee data is deeply personal. It includes information about health, ethnicity, family, background checks and grievances. When mishandled, the impact is human as much as legal, leading to embarrassment, distress or discrimination. Laws exist to protect people, and we need to bring the human element back into data protection.

The GDPR is about compliance, ethics and respect. It's in the first principle of lawfulness, fairness and transparency. Ethics are not optional; they are built into the law.

We have seen what happens when this is ignored. Interserve was fined 4.4 million GBP after a cyber incident exposed data belonging to more than 100,000 employees France's data protection authority, the Commission Nationale de l'Informatique et des Libertés, fined a software company 40,000 euros in 2024 for excessive employee monitoring, after finding staff were tracked through screenshots and activity logs. 

These failings are usually not malicious. They come from misunderstanding, lack of knowledge or lack of privacy culture. 

Beyond ethics, the legal and reputational risks are significant. Under the GDPR, organizations must identify lawful bases for processing, meet the additional conditions for handling special category data and set proportionate retention periods. In the U.K., organizations must also maintain an appropriate policy document. 

Around the world, HR data continues to receive less attention than customer data, even where employment laws and expectations differ. In the U.S., for instance, the California Privacy Protection Agency recently fined Tractor Supply Company USD1.35 million under the California Consumer Privacy Act for breaches that included the mishandling of job-applicant data. 

Data from the U.K. Information Commissioner's Office tells an even clearer story. In 2023, there were just over 3,200 employee-related breach reports, rising to nearly 3,700 in 2024. Mid-year figures for 2025 already stand at 1,842. Of these, more than half each year were non-cyber incidents — 1,695 in 2023, 2,006 in 2024 and 1,077 in the first half of 2025. That means most breaches come not from external attacks but from internal error or weak process.

The number of employee-related breaches sits head-to-head with those involving customer or service-user data. In other words, the risks inside the organization are just as significant as those outside. This shows technology alone cannot fix the problem. The real work lies in culture, awareness and accountability.

Strong privacy practice in HR 

There is an irony in how some organizations handle trust. Many put effort into convincing customers their data is safe but fail to show the same care to employees. When staff don't trust how their data is managed, mistrust seeps into culture. People become cautious about accessing wellbeing services, reporting health issues or raising concerns if they fear their information will be shared too widely, kept indefinitely, or isn't as protected as it should be.

Complaints grow when trust breaks down, especially when staff assume information is confidential only to find it was circulated without consent or a lawful basis. 

This is not about encouraging people to complain. It is about creating an environment where they do not feel they need to. One where employees trust their organization to listen, act fairly and treat their information with respect — both while they are there and long after they leave. 

How an organization handles someone's data is often remembered more clearly than how they handled their employment. If this is done right while an individual is employed, an organization protects both its people and its reputation long after that employee has moved on. 

Strong privacy practice in HR forms the first line of defense in protecting personal information. It is where people's journeys begin — through recruitment, onboarding and everyday employment — and it is where trust is either built or eroded. Embedding privacy in HR sends a powerful message about organizational values. It says people are respected not only as employees, but as individuals with a right to privacy.

The gaps are clear. HR projects often launch without data protection or privacy impact assessments. Privacy notices are buried in handbooks or written in legal language few understand. Records of processing are incomplete, and oversharing remains common, with sickness reports copied too widely or personal documents left in shared folders. 

I am not suggesting every organization falls short, or that other departments have it all figured out. HR deserves the same attention and respect as any other area handling stakeholder data. Organizations already doing that should be proud.

Building privacy into everyday processes 

If gaps exist, they can be fixed. HR teams need training that reflects their reality, not generic e-learning. Privacy should be built into everyday processes, with checks during recruitment and onboarding to ensure only necessary data is collected and shared. Processing should be mapped and recorded properly. 

HR should be treated as the high-risk area it is, not an afterthought. Privacy notices should be written in plain language and tested with staff. Most importantly, HR, IT and data protection teams must work together. Privacy is everyone's responsibility, but HR must be part of the conversation.

When we speak about privacy by design and by default, we need to mean it. It starts with recognizing employees as important data subjects and HR leads as key stakeholders within the privacy team. That recognition must translate into practice, by giving employee data the same level of respect as service user information and involving HR leads in privacy planning, data protection impact assessments and policy development from the outset.

Organizations should take a step-by-step approach:

1. Ensure leadership and the privacy team have appropriate training and expertise. Culture starts from the top, and privacy is not always a full-time role for those involved in governance.
2. Map employee data flows with the same rigor as service user data.
3. Record all processing, ensuring it is reflected in policies and privacy notices and embedded into everyday working practices.
4. Assess monitoring and workforce tools for fairness and proportionality, with clear escalation routes so concerns are identified early rather than emerging through complaints or incidents.
5. Finally, step back and review policies and processes through an employee lens. Reading policies as an employee, rather than as a compliance professional, often exposes gaps that would otherwise be missed. 
6. Actively seek feedback from employees themselves. 

Taken together, these steps move privacy by design from a policy principle into something employees can see, understand and trust. 

Laura Palmariello, AIGP, CIPP/E, is a data protection consultant, trainer and speaker, working across health and care, charities, education and the private sector in Europe.