Last Reviewed: April 2026 | Fact-checked against ICO, ACAS, and HMRC guidance.
How We Assessed These Platforms
We assessed platforms against criteria specific to UK employers: transparent UK pricing, Employment Rights Act 1996 compliance features, GDPR data handling and UK data residency, auto-enrolment support, absence and holiday management under Working Time Regulations 1998, G2 and Capterra ratings above 4.0 from verified UK reviewers, UK-based customer support availability, and integration with HMRC-recognised payroll tools. Platforms without publicly available UK pricing were noted separately from those with accessible pricing tiers.
Author: Chandraketu Tripathi, reviewed by the kaeltripton.com editorial team.
TL;DR: Every UK employer using HR software is a data controller. Your HR software provider is a data processor. UK GDPR places clear legal obligations on this relationship , including a mandatory Data Processing Agreement, UK or EEA data residency, and a 72-hour breach notification window. This guide explains exactly what you must check before implementing any HR software platform.
- 5.5 million small businesses in the UK — 99% of all businesses (ONS, 2024)
- Average unfair dismissal award: £11,316 (Ministry of Justice, 2024)
- UK GDPR Article 30 applies to all employers processing employee personal data
- Auto-enrolment duties apply from your first eligible hire
How This Guide Was Prepared
This guide is based on ICO UK GDPR guidance for employers, the Data Protection Act 2018, ICO enforcement notices and penalty decisions relating to HR data, and CIPD guidance on data protection in the workplace. No vendor paid to be featured. Legal references are accurate as of April 2026; the ICO publishes updated guidance regularly and the authoritative source is always ico.org.uk.
Author: Chandraketu Tripathi, reviewed by the kaeltripton.com editorial team.
Why Most HR Software Lists Get It Wrong on GDPR for UK Businesses
The majority of HR software comparison articles treat GDPR compliance as a checkbox item , a yes or no feature listed alongside holiday tracking and payroll integration. This fundamentally misrepresents the legal position. GDPR compliance in an HR software context is not a feature the vendor provides to you; it is a legal framework that governs the relationship between you as data controller and the vendor as data processor.
A vendor can claim to be GDPR compliant while storing your employee data on servers in Virginia, without a Data Processing Agreement signed, and with no documented breach notification process. That claim is meaningless. What matters is the specific contractual and operational arrangements in your individual deployment , not a generic compliance badge on a marketing page.
This matters more for HR software than for almost any other software category because HR systems hold the most sensitive employee personal data: salary information, sickness records, disciplinary notes, right to work documents, and in some cases, special category data including disability status or pregnancy (ICO, 2024).
For broader context on HR software selection, see our best HR software UK guide, and for a step-by-step procurement framework see our how to choose HR software UK guide.
The Controller-Processor Distinction: Your Legal Starting Point
Under UK GDPR (as retained post-Brexit by the Data Protection Act 2018), an employer processing employee personal data is a data controller: the party that determines the purposes and means of processing. The HR software provider is a data processor: the party that processes data on the controller's behalf.
This distinction has significant practical consequences. The data controller , the employer , is primarily responsible for compliance. If an HR software provider suffers a data breach or misuses employee data, the ICO can and does take enforcement action against the employer as controller as well as, or instead of, the processor. The ICO's position is clear: "You remain responsible for making sure the processing meets the UK GDPR's requirements, even when you appoint a processor" (ICO, 2024).
The financial consequence of this position is real. ICO fines for data protection failures can reach the higher of £17.5 million or 4% of global annual turnover for the most serious infringements, and £8.7 million or 2% for other infringements under the UK GDPR tiered structure. While fines at this scale are reserved for the most serious failures, the ICO does issue enforcement notices and reprimands to small and medium employers for HR data processing failures.
The Data Processing Agreement: Non-Negotiable Before Go-Live
UK GDPR Article 28 requires that processing by a processor is governed by a contract , a Data Processing Agreement (DPA). This is not optional. Entering employee personal data into an HR system without a signed DPA is a UK GDPR violation from day one, regardless of the platform's other compliance credentials.
A compliant DPA must specify: the subject matter, duration, nature, and purpose of the processing; the type of personal data and categories of data subjects; the obligations and rights of the controller; and a requirement that the processor only acts on documented instructions from the controller. It must also require the processor to implement appropriate technical and organisational security measures, assist the controller in meeting data subject rights, delete or return all data on termination, and provide all information necessary to demonstrate compliance (ICO, 2024).
In practice: reputable HR software vendors provide a pre-drafted DPA as a standard contract document. If a vendor cannot produce a DPA on request within 24 hours, or argues that their standard terms of service are sufficient without a separate DPA, treat this as a significant compliance red flag and do not proceed.
HR Software GDPR Compliance: Key Criteria Comparison
| Compliance Criterion | What to Check | Why It Matters | ICO Reference |
|---|---|---|---|
| Data Processing Agreement | Provided before go-live, signed by both parties | Legally required under Article 28; without it, processing is unlawful from day one | Article 28 UK GDPR |
| Data residency | UK or EEA server location confirmed in writing | Non-EEA transfers require additional safeguards including standard contractual clauses | Chapter V UK GDPR |
| Record of Processing Activities | System supports ROPA documentation for employee data | Required under Article 30 for most organisations; audit trail in case of ICO investigation | Article 30 UK GDPR |
| Data subject access requests | Platform supports DSAR response within one calendar month | Employees have the right to access their personal data; one-month response is statutory | Article 15 UK GDPR |
| Breach notification process | Vendor has documented process; employer notified within 72 hours of discovery | 72-hour ICO notification is mandatory for reportable breaches; failure attracts penalty | Article 33 UK GDPR |
| Data deletion on termination | Contract specifies data return or deletion within defined period | Prevents residual data risk; required by Article 28(3)(g) | Article 28 UK GDPR |
Data Residency: UK vs EEA vs Non-EEA
UK GDPR permits the transfer of personal data to countries within the European Economic Area (EEA) without additional safeguards, because the UK and EEA maintain mutual adequacy recognition (as of April 2026 , this position requires periodic renewal and should be verified). Transfers to non-EEA countries , including the United States , require additional legal safeguards such as standard contractual clauses (SCCs) or binding corporate rules.
Many HR software vendors, particularly US-origin platforms, process data on servers in the United States even when they have UK or European marketing operations. This is not inherently unlawful if the correct safeguards , typically SCCs incorporated into the DPA , are in place. However, the employer as data controller must verify that these safeguards exist and are documented, not simply assume they are in place because the vendor operates in the UK market.
Ask every HR software vendor: where, specifically, is employee data stored? On what legal basis is any international transfer made? Is a transfer impact assessment available for non-EEA transfers? A vendor that cannot answer these questions clearly is not demonstrating the transparency that UK GDPR requires.
Special Category Data in HR Software
UK GDPR identifies special categories of personal data that require additional protection: health data (including sickness absence records), data revealing racial or ethnic origin, data relating to trade union membership, biometric data used for identification, and data about criminal convictions. Most HR systems inevitably process at least some special category data , sickness absence records are health data, and disability adjustments recorded for performance management purposes are health data.
Processing special category data requires both a lawful basis under Article 6 and an additional condition under Article 9. For HR purposes, the most commonly applicable Article 9 conditions are: explicit consent of the data subject; necessity for employment law obligations; and necessity for occupational medicine or assessment of working capacity (ICO, 2024). Ensure your HR system's DPA and privacy notice address special category data specifically , a generic DPA that does not acknowledge special category data is insufficiently detailed for HR software with sickness management functionality.
Employee Rights and HR Software: Practical Implications
UK GDPR gives employees a range of rights over their personal data that HR software must be capable of supporting. The right of access , a Data Subject Access Request , requires the employer to provide copies of all personal data held about the employee within one calendar month (Article 15). HR software that cannot generate a complete employee data export on demand creates a DSAR response risk. The right to rectification , Article 16 , requires correction of inaccurate personal data. The right to erasure , Article 17 , applies in limited circumstances for employee data but is relevant for former employees once the retention period has expired.
Employee privacy notices , the information employers must provide about how personal data is processed , should specifically reference the HR system used, the categories of data processed, the legal basis for processing, how long data is retained, and employees' rights. Many UK employers use HR software without updating their privacy notices to reflect the new system, which is a compliance gap. Update your privacy notice before go-live, not after.
Frequently Asked Questions
What is the difference between UK GDPR and EU GDPR for HR software?
UK GDPR is the version of the EU General Data Protection Regulation retained in UK law following Brexit, as amended by the Data Protection Act 2018. It is substantively very similar to EU GDPR in its requirements for HR data processing. The main practical difference for UK employers is the supervisory authority: UK GDPR is enforced by the ICO (Information Commissioner's Office), not the EU's lead supervisory authority. For UK employers using HR software from EU vendors, the DPA should reference UK GDPR specifically and confirm that UK ICO authority is recognised.
Do I need to register with the ICO to use HR software?
Most UK organisations that process personal data , including employee data , are required to pay the ICO's data protection fee and register as a data controller. Fees range from £40 to £2,900 per year depending on organisation size and turnover. Charities and small organisations benefit from reduced fees. Processing employee data in HR software without paying the fee is a civil offence. Check your registration status and fee tier at ico.org.uk/registration.
Can employees see all data held about them in the HR system?
Employees have the right to submit a Data Subject Access Request and receive a copy of all personal data held about them, including HR system records. This includes performance notes, sickness records, disciplinary documentation, and any notes made by managers in the system. Employers cannot exclude categories of data from a DSAR response except in very limited circumstances , for example, where disclosure would prejudice the prevention or detection of crime. HR systems should be configured so that a comprehensive DSAR response can be generated quickly; the statutory one-month deadline runs from receipt of the request, not from when the organisation decides to start responding.
How long should we retain employee data in HR software after someone leaves?
UK GDPR requires personal data to be retained no longer than necessary for the purpose for which it was collected. For employment data, the CIPD recommends the following retention periods as a starting point: basic employee records for six years after employment ends (to cover the Limitation Act 1980 six-year period for contractual claims); payroll records for three years after the end of the tax year to which they relate (HMRC requirement); and sickness absence records for as long as they are relevant for occupational health purposes, with a typical ceiling of six years. Your HR system should support configurable retention policies that flag records for deletion review when the retention period expires.
What should I do if my HR software provider suffers a data breach?
If your HR software provider notifies you of a data breach affecting employee personal data, your legal obligations as data controller are: assess whether the breach is reportable to the ICO (the threshold is a breach likely to result in a risk to individuals' rights and freedoms); if reportable, notify the ICO within 72 hours of becoming aware of the breach; if the breach is likely to result in a high risk to individuals, notify affected employees without undue delay. Document the breach and your response regardless of whether ICO notification is required. Review the vendor's DPA to confirm they met their contractual obligation to notify you promptly, and if they did not, this is grounds to seek contractual remedy.
For the full market picture, see our best HR software UK 2026 guide covering all major platforms.
Also see: Hr Software Cost Uk.
This article is for informational purposes only and does not constitute legal, HR, or financial advice. All data accurate as of April 2026. Fact-checked against CIPD, ICO, ACAS, and HMRC guidance. Kaeltripton.com is an independent editorial site. No external links are provided to any platform mentioned — brands appear in rankings based solely on independent assessment criteria.
Sources
- ICO Guide to UK GDPR for Employers: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment/
- ICO Contracts and Liabilities with Processors: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/contracts-and-liabilities-between-controllers-and-processors-multi-topic-guide/
- ICO Data Subject Access Requests: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/right-of-access/
- ICO Special Category Data: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/
- CIPD Data Protection in the Workplace: https://www.cipd.org/uk/knowledge/guides/data-protection-workplace/