Human resources data represents a preferred target for cybercriminals: it contains sensitive information such as social security numbers, personal addresses, salary histories and banking data. Yet a 2025 study by Workest shows that 59% of French HR managers believe they lack the skills necessary to protect personal data in compliance with GDPR. This knowledge gap creates considerable risk, both for employees whose data is exposed and for companies facing substantial fines for non-compliance.

GDPR subjects all employee personal data to strict requirements. Companies must document why they collect this data, retention periods, and security measures. A breach involving thousands of employees’ data can result in fines up to 4% of total global revenue, capped at 20 million euros. CNIL has multiplied audits of HR services with concerning results: in 2024, it found shortcomings in 76% of inspected companies on essential points like excessive data retention or lack of explicit consent. Beyond regulatory risk, an HR data breach seriously damages employer brand and employee trust.

Current HR practices and their gaps

Many organisations continue storing HR data dispersed and insufficiently secured. Paper files are stored without restrictive access controls, Excel and PDF files circulate via email without encryption, legacy data is retained well beyond its utility. Moreover, external providers (payroll services, law firms, HR consultants) often access this data without the outsourcing contract clearly specifying security and confidentiality obligations. A French SME that suffered a data breach affecting 800 employees following an attack on its payroll provider had to pay compensation exceeding 150,000 euros to affected employees.

Toward better protection

Organisations must implement structured processes. This means: comprehensive audit of all HR data held, classification by sensitivity level, encryption of at-risk data, access restriction to HR team only, regular backups and destruction schedule for obsolete data. In parallel, HR managers must strengthen their training, particularly understanding GDPR fundamentals and security challenges. HR software vendors increasingly focus on compliance, which can help organisations modernise their systems. Finally, employee awareness about data confidentiality importance creates a protection culture around the HR function.