GDPR is one of those topics where the gap between the practical baseline and the compliance industrial complex is enormous. For an HR-data context inside a small company (under 250 staff, no DPO requirement), here’s what actually matters.
The three things you must do
- Maintain a minimal record of processing activities (RoPA). Three columns: what data, why, retention period. A single page is fine — most teams have 6–8 entries.
- Have a written data-processing agreement (DPA) with every vendor that touches employee data. Most SaaS vendors will hand you one; ask if they don’t.
- Be able to fulfil a subject access request inside 30 days. A practical bar: someone asks "what HR data do you hold on me?" and you can produce a CSV.
The three things you can deprioritise (for now)
- Pseudonymisation of HR data. Useful for research/analytics, not for normal HR operations. Skip it until your operational scale demands it.
- A formal Data Protection Impact Assessment for every new tool. Required for high-risk processing, which a PTO tracker isn’t.
- Appointing a Data Protection Officer. Mandatory only if your core activities involve large-scale processing or processing special-category data.
The data-residency question
For HR data on EU residents, the practical bar is "encrypted in transit and at rest, hosted in a country with an adequacy decision or via a vendor with SCCs." US-only hosting is operationally fine if the vendor has Standard Contractual Clauses and the Data Privacy Framework certification.
Subject access requests in practice
Most small teams panic about SARs because they imagine a hostile former employee submitting one. In practice the volume is near zero, and the work — exporting their data — is straightforward if your tools have an export button. Pre-mapping which tools hold which data takes an hour and saves the panic.
Compliance theatre is more dangerous than no compliance, because it inoculates the team against doing the actual work.