GDPR Onboarding Compliance: A Practical Guide for HR Teams

Updated 25 April 20269 min read
Compliance

Employee onboarding involves collecting some of the most sensitive personal data your organisation handles: passport numbers, bank account details, tax identifiers, health declarations, and criminal record checks. Under GDPR (and the UK GDPR), how you collect, store, and use this data during onboarding has significant legal implications.

This guide covers the practical GDPR requirements that apply specifically to the onboarding phase, and how onboarding software helps you stay compliant without adding administrative burden.

Lawful Basis for Processing Onboarding Data

GDPR requires that every instance of personal data processing has a lawful basis. During onboarding, the most relevant bases are:

  • Contract performance: Processing data necessary to fulfil the employment contract (e.g., bank details for payroll, personal details for the employment record)
  • Legal obligation: Processing required by law (e.g., right-to-work checks, tax information for PAYE)
  • Legitimate interests: Data processing where your legitimate business interest outweighs the individual's privacy rights — used carefully and documented
  • Consent: Used only where no other basis applies — consent must be freely given and withdrawable, which is problematic in an employment context where power imbalance exists

Data Minimisation: Only Collect What You Need

GDPR's data minimisation principle requires that you only collect data that is genuinely necessary for the purpose. This means your onboarding document checklist should not ask for every piece of information that might ever be useful — it should ask for what you need now, with a documented reason for each data point.

Privacy Notices for New Hires

At the point of data collection, new hires must be given a privacy notice explaining what data you are collecting, why, how long you will keep it, and their rights under GDPR. This should be embedded into your onboarding portal — not buried in a separate document that may never be read.

Retention Periods for Onboarding Data

GDPR requires that personal data is not kept longer than necessary. For employment records, UK guidance recommends keeping most onboarding data for 6 years after employment ends (aligned to the Limitation Act). Some categories — like pre-employment criminal record checks — should typically be deleted once the employment decision is made.

How Onboarding Software Helps with GDPR Compliance

  • Audit trail: Automatically records when data was collected, by whom, and under what lawful basis
  • Consent management: Tracks policy acknowledgements with timestamps
  • Data subject access requests: Enables HR to quickly locate and export all data held on a specific employee
  • Automated retention policies: Flags when data is due for review or deletion
  • Secure storage: Encrypts sensitive documents and access-controls them to authorised HR staff only

NDPR Compliance for Nigerian Organisations

Nigeria's Data Protection Regulation (NDPR), issued by NITDA, imposes similar obligations to GDPR for Nigerian data subjects. Organisations collecting employee data during onboarding must have a lawful basis, provide privacy notices, implement security measures, and comply with data subject rights. Non-compliance can result in fines and regulatory sanctions.

Onboard compliantly from day one

OnboardSwift includes GDPR and NDPR-ready data handling, audit trails, and privacy notice delivery built into every hire flow.

Book a demo

Frequently Asked Questions

Does GDPR apply to employee data during onboarding?

Yes. GDPR applies to all personal data processing, including employee data. Onboarding involves collecting some of the most sensitive categories of personal data, so GDPR compliance during this phase is particularly important.

What lawful basis should I use for processing employee onboarding data?

Most onboarding data is processed under "contract performance" (data needed to execute the employment contract) or "legal obligation" (data required by law, such as tax information). Consent is generally not the appropriate basis in employment contexts.

How long should I keep employee onboarding documents?

UK guidance suggests keeping most employment records for 6 years after employment ends. Some documents (like pre-employment criminal checks) should be deleted sooner. NDPR guidance for Nigeria follows similar principles.

What is a DSAR (Data Subject Access Request) in the context of onboarding?

A DSAR is a request by an individual to see all personal data an organisation holds about them. In an onboarding context, this means being able to quickly locate and export all documents, forms, and records collected during the hire's onboarding process.

Does Nigeria have GDPR-equivalent rules for employee data?

Yes. Nigeria's Data Protection Regulation (NDPR), enforced by NITDA, applies to all personal data processing including employment. Organisations must have a lawful basis, provide privacy notices, and comply with data subject rights.

Ready to transform how you onboard?

14-day free trial. No credit card. Live in under 30 minutes.

Start free trial Book a demo