An HRIS (Human Resources Information System) is the database of record for employee data - covering personal details, contracts, absence, payroll integration, and compliance records. UK employers choosing between HRIS platforms should evaluate data residency (UK GDPR requires appropriate transfer mechanisms for data leaving the UK), payroll integration depth, and whether the system can produce a complete Subject Access Request response within 30 days. The distinction between HRIS, HRMS, and HCM is largely a marketing one; what matters is whether the platform covers the specific process areas the employer needs.
Last reviewed May 2026
The term HRIS is used interchangeably with HRMS (Human Resources Management System) and HCM (Human Capital Management) in vendor marketing, creating confusion for buyers trying to map products to requirements. This guide cuts through the terminology to explain what an HRIS actually does, how UK-specific requirements shape which platforms are appropriate, and what questions to ask when evaluating systems for a UK employer context. For platform shortlists by size, see best HR software UK and HR software for small business UK.
What an HRIS Is and What It Is Not
An HRIS is, at its core, a structured database of employee information linked to workflow tools that automate HR processes. The database holds the employee record - name, address, National Insurance number, start date, contract type, salary, working hours, absence history, and employment history. The workflow tools sit on top of this record and automate processes: onboarding checklists, absence approval flows, performance review cycles, leaver processes.
What an HRIS is not, in most implementations, is a payroll processor. The majority of HRIS platforms in the UK market integrate with a separate payroll tool - either via a real-time API connection or a scheduled data export - rather than processing the payroll calculation and HMRC RTI submission themselves. The exceptions are combined HRIS and payroll platforms (Moorepay, Zellis, Rippling with UK payroll) and accountancy-adjacent tools (Sage HR with Sage Payroll, Xero with its payroll module). Understanding whether the HR and payroll functions are integrated natively or via a connector is essential because integration failures are the most common source of payroll errors in multi-system HR stacks.
An HRIS is also not a recruitment system. Most HRIS platforms include a basic applicant tracking module, but organisations with significant hiring volume typically use a dedicated ATS (Ashby, Greenhouse, Workable, Pinpoint) and integrate it with the HRIS so that offer-accepted candidate records flow automatically into the employee record without manual re-entry. The integration point between ATS and HRIS is the trigger for the onboarding workflow - and where that integration is missing or unreliable, onboarding processes break down.
UK-Specific Requirements That Shape HRIS Selection
Several UK-specific requirements differentiate the HRIS evaluation process from the equivalent exercise in other markets. Understanding these narrows the shortlist before any product demonstration.
Data residency and UK GDPR: the ICO's guidance on international data transfers requires that personal data transferred outside the UK is subject to an appropriate transfer mechanism - UK adequacy regulations for EEA countries and a small number of others, or an International Data Transfer Agreement (IDTA) for the remainder. Most US-headquartered HRIS vendors hold data in US data centres and rely on standard contractual clauses. Post-Brexit, these must be UK IDTAs, not EU SCCs. UK employers should request their vendor's Data Processing Agreement and verify that it references the UK GDPR and the ICO's transfer requirements specifically, not only the EU GDPR.
Right-to-work record management: the HRIS must hold structured right-to-work check records with date, document type, document expiry (for time-limited permissions), and checker identity. Unstructured document attachment - a scanned passport stored as a PDF in the employee file - does not satisfy the requirement for follow-up check alerts. The Home Office's civil penalty regime (up to £60,000 per illegal worker since February 2024) makes this a high-stakes gap.
Working time records under Regulation 9: the HRIS or its integrated time and attendance tool must maintain records adequate to demonstrate Working Time Regulations compliance. For salaried employees with fixed hours, this is typically satisfied by the employment contract and absence records held in the HRIS. For variable-hours workers, a time capture record is necessary. The HRIS should be able to produce a working time compliance report on demand.
Gender pay gap reporting: employers with 250 or more employees must publish gender pay gap data annually by 4 April (public sector) or 5 April (private sector and voluntary sector). The Equality Act 2010 (Gender Pay Gap Information) Regulations 2017 define the six required metrics precisely. An HRIS that cannot produce these figures directly from its payroll and headcount data forces a manual extraction exercise that is error-prone and time-consuming.
|
The Functional Architecture of a Modern HRIS
A modern HRIS serving a UK employer in the 50-500 employee range typically covers the following functional areas, though depth varies significantly between platforms.
Core HR (always present): employee record management, organisational structure (reporting lines, departments, cost centres), document storage, basic reporting and headcount analytics. This is the non-negotiable foundation - every HRIS platform covers this.
Absence and leave management (near-universal): annual leave booking and approval, sickness absence recording, other leave types (maternity, paternity, shared parental, compassionate). At the compliance level, the system must calculate statutory annual leave entitlement correctly for all worker types, including part-year and irregular-hours workers following the post-Brazel legislative changes. Bradford Factor scoring is typically present but should be configured as a management tool rather than an automated action trigger.
Onboarding workflows (common): task checklists assigned to HR, IT, and the new hire; document collection and e-signature; right-to-work check recording; HMRC Starter Checklist collection. Quality varies significantly - some platforms trigger onboarding only from the start date, missing the pre-boarding window where the highest-value compliance tasks should be completed.
Performance management (variable): goal setting, appraisal forms, continuous feedback tools, and probation period management. The employment law relevance is in probation period tracking and the documentation trail for disciplinary and performance improvement processes. Platforms that store only current performance ratings without version history create evidential gaps in tribunal proceedings.
Payroll integration (variable depth): real-time API, scheduled batch export, or manual CSV. The depth of integration determines whether payroll data (salary changes, new starters, leavers, absence deductions) flows automatically or requires a manual reconciliation step each pay period. Manual reconciliation at scale is a reliable source of payroll errors.
Reporting and analytics (variable): standard reports (headcount by department, absence rate, turnover rate, gender pay gap metrics) plus configurable report builders. Platforms with a native gender pay gap report module save significant time for 250+ employee employers at reporting deadline.
Evaluating HRIS Vendors: A UK Buyer Framework
The following evaluation framework reflects the specific requirements of UK employers and the compliance gaps most frequently identified in HR technology audits.
Start with data residency. Before reviewing features, establish where employee data is stored and processed. Request the vendor's Data Processing Agreement, Data Processing Addendum, and their list of subprocessors. Verify that any data leaving the UK has an appropriate transfer mechanism in place. This is a binary compliance requirement - it cannot be compensated for by superior features elsewhere in the platform.
Test the SAR response capability. Ask the vendor to demonstrate how the system would compile a complete Subject Access Request response for a named employee. The demonstration should show that all personal data - including audit logs, system notes, and any automated decision outputs - is retrievable in a structured format within a timeframe that allows 30-day compliance. Platforms that require manual searches across multiple modules to compile a complete SAR response represent a compliance risk at scale.
Validate the right-to-work module specifically. Ask whether the system stores right-to-work check outcomes as structured data (check date, document type, document expiry, checker name) or as unstructured document attachments. Ask whether the system generates automated alerts before time-limited permissions expire, and at what interval. Ask what happens to right-to-work records at the two-year post-termination deletion point - is deletion automated or manual?
Assess payroll integration depth. Request a demonstration of a payroll data export for a test pay period that includes a new starter, a leaver, a salary change, and an absence deduction. Evaluate whether the export is complete, correctly formatted for the target payroll system, and whether it can be produced without manual intervention from the HR team.
| Evaluation area | Question to ask vendor | Acceptable answer |
|---|---|---|
| Data residency | Where is data stored and what transfer mechanism applies? | UK/EEA storage or UK IDTA in place |
| SAR capability | Can you demonstrate a complete SAR export? | Single export covering all modules |
| Right-to-work | Is RTW data structured or attachment-only? | Structured fields with expiry alerts |
| Payroll integration | Is the integration real-time API or CSV export? | Real-time API preferred; CSV if scheduled |
| Retention enforcement | Is retention schedule automation included? | Configurable periods with automated alerts |
| Gender pay gap | Is the GPG report native or manual export? | Native report for 250+ employee employers |
Migration and Implementation Realities
HRIS implementations in the 50-500 employee range typically take eight to sixteen weeks from contract signature to go-live when data quality is reasonable and a dedicated internal project owner is available. The most common sources of delay are data migration (legacy records in inconsistent formats, spreadsheets with missing or incorrect fields, paper records requiring digitisation) and integration configuration (payroll connector setup, SSO configuration, ATS integration testing).
Data migration deserves particular attention in a UK GDPR context. Migrating employee records from a legacy system to a new HRIS is a personal data processing activity subject to UK GDPR. The migration plan should document the lawful basis for migration, the data minimisation steps applied (not migrating records past their retention date), and the security measures applied during transit (encryption, access restriction to the migration team). An HRIS vendor that provides a data migration template and a migration-specific DPA addendum is demonstrating compliance maturity; one that treats migration as a purely technical exercise with no data protection documentation is a risk signal.
TUPE transfers - where employees transfer to the employer as part of a business acquisition or service contract change - create a specific HRIS migration challenge. Transferred employees' continuous employment dates, statutory entitlements, and any existing disciplinary or performance records must migrate accurately. Errors in continuous employment dates create liability on redundancy pay and unfair dismissal claims. The HRIS vendor should have a documented TUPE data migration process, not an ad hoc approach.
FAQ
What is the difference between an HRIS and an HRMS?
In common usage the terms are interchangeable. Strictly, HRIS (HR Information System) refers to the employee database and reporting layer; HRMS (HR Management System) adds process automation such as onboarding workflows, absence approval, and performance review cycles. In practice, all platforms marketed as HRIS include workflow automation, so the distinction is primarily historical. Evaluate platforms on their specific feature coverage rather than the acronym used in their marketing.
Does an HRIS replace a payroll bureau?
No. Most HRIS platforms pass payroll data to a payroll processor - either an in-house payroll team using payroll software, or an outsourced payroll bureau. The bureau handles PAYE calculation, RTI submissions to HMRC, and P60/P11D production. Combined HRIS and payroll platforms (Moorepay, Zellis, Rippling) reduce the integration complexity, but the payroll compliance function remains distinct from the HR record-management function.
How many employees does a business need before an HRIS is worth implementing?
There is no fixed threshold. Most HR advisers cite 15-25 employees as the point at which manual administration of HR records becomes a compliance risk rather than a practical choice - though the specific trigger depends on workforce complexity (variable hours, multi-site, high turnover) as much as headcount. Entry-level HRIS pricing at £3-£6 per employee per month makes the cost case straightforward above 10-15 employees for most businesses.
What UK GDPR obligations apply specifically to HRIS data?
An HRIS holds personal data (employee records) and typically special category data (sickness absence, disability adjustments). UK GDPR requires: a lawful basis for each processing purpose; data minimisation (collecting only necessary data); storage limitation (retention periods applied and enforced); appropriate access controls; audit logging; and the ability to respond to Subject Access Requests within 30 days. The Records of Processing Activity (ROPA) must include the HRIS as a processing activity for organisations with 250 or more employees.
Can an HRIS help with tribunal preparation?
Yes, significantly. Employment tribunals require documentary evidence of the employer's actions - warning letters, hearing records, investigation notes, performance reviews, absence records. An HRIS that stores these as timestamped, version-controlled documents linked to the employee record enables the HR team to compile a tribunal bundle efficiently. Platforms that store only current documents without version history, or that allow records to be amended without an audit trail, create evidential gaps that damage the employer's position.
Frequently asked questions
Where should an HRIS store UK employee data for GDPR compliance?
Under UK GDPR, transfers of personal data outside the UK or EEA require an adequacy regulation or appropriate safeguards such as the ICO's International Data Transfer Agreement. Most enterprise HRIS vendors offer UK or EEA data residency as a tier option. UK-headquartered businesses simplify their Article 30 record of processing by selecting UK residency. Document the choice and review when vendors change sub-processor arrangements. The ICO's international transfers guidance at ico.org.uk applies.
What is a subject access request and how should HRIS handle it?
Under UK GDPR Article 15, individuals can request a copy of all personal data the employer holds about them. The employer must respond within one calendar month, extendable by two months for complex requests. HRIS systems should produce a complete export of all data fields against a named individual, including audit logs, system messages, and any free-text notes added by managers. Manual collation across multiple systems is the most common cause of late or incomplete SAR responses, which attract ICO enforcement.
How should HRIS integrate with UK payroll software?
Two-way integration via API is the most reliable approach. The HRIS pushes starter, leaver, salary change, working pattern, and tax code data to payroll; payroll returns payment values, statutory deductions, and pension contributions to the HRIS for reporting. The integration should preserve the digital audit trail required for HMRC Real Time Information submissions and for The Pensions Regulator's auto-enrolment compliance. Avoid CSV-based daily syncs where API integration is available.
What HRIS controls should be in place for sensitive employee data?
Role-based access controls limiting visibility by data type (salary, performance, sickness) and reporting line are the baseline. Multi-factor authentication on all admin accounts is required for Cyber Essentials compliance. Audit logs should record every access to sensitive records, with admin review of unusual access patterns. Field-level encryption at rest is increasingly expected for medical, biometric, or special category data. Confirm the vendor's ISO 27001 or Cyber Essentials Plus status.
Does an HRIS need to support the new flexible working request rules?
Yes for compliance with the Employment Relations (Flexible Working) Act 2023, which removed the 26-week qualifying period and increased the number of permitted requests to two per year. HRIS systems should support flexible working request workflows including the two-month response deadline, the consultation requirement, and the eight permitted refusal grounds. Decisions and reasoning should be logged for tribunal evidence and ACAS Code compliance. ACAS publishes the updated statutory code.
How We Verified
This article draws on ICO guidance on UK GDPR and international data transfers, CIPD research on HR technology adoption, and Equality Act gender pay gap reporting regulations. Legislation was verified against current text on legislation.gov.uk. Platform capability descriptions and pricing are based on publicly available product documentation and vendor websites as of May 2026. No vendor paid for inclusion in this article.
Sources
- ICO: International Data Transfers guidance
- CIPD: Data Protection in the Workplace
- Equality Act 2010 (Gender Pay Gap Information) Regulations 2017
- ICO: Employment Practices and Data Protection
Compare hr software |
