Data Protection & GDPR

Your guide to the Data Protection Act 2018 (DPA 2018) and the EU General Data Protection Regulations (GDPR)

Data Protection and privacy are fundamental rights in today’s world of work. It’s important that your data processes are legally compliant and that all your employees understand the importance of data confidentiality and security. Your organisation could face large fines if you don’t follow the DPA 2018 & GDPR.

What is the Data Protection Act?

The Data Protection Act 2018 (DPA 2018) incorporates the EU’s General Data Protection Regulations (GDPR). Its purpose is to protect the personal information of individuals from security and privacy breaches. Importantly, DPA 2018 gives people the right to know who holds their personal information, why they have it, how they got it and what they’re doing with it.

You must always be ready to answer these queries with accurate information and comply with data audits. This means proving your processes are compliant if you are challenged. Failure to do so can result in an eye-watering fine or other sanctions from the Information Commissioner’s Office (ICO).

Every part of your company needs to be aware of best practices around data protection, as many of your employees handle personal data on a daily basis. That could include details of other employees both past and present, customer information or sales leads.


The GDPR was enshrined into UK law as part of the Data Protection Act 2018. However, GDPR applies to any company in the world that processes the personal data of EU citizens.

Did you know?

Google has been fined €50 million for breaking GDPR rules. French data regulator CNIL judged that Google didn’t properly inform people about how their data would be used for advert personalisation. This constituted a “lack of valid consent”.

Fines can be up to 4% of annual global turnover or €20 million – whichever is greater. But not all breaches lead to fines. Organisations might receive warnings, an order to erase data or even the suspension of data processing operations in their business.

How to handle employee data under GDPR

HR must have a robust system in place for storing, securing and processing the personal data of employees, whatever the size of the organisation. iTrent is a management system that unifies HR and payroll data and provides functionality to enable full compliance with the DPA 2018. It gives HR all the right tools to respond to data challenges:

Data subject access request

If an employee asks for access to their personal information, you have one month to respond. iTrent gives you a fast and easy way to access this information and send it to the employee directly so you can avoid missing deadlines.

Data retention

Any employee data that you are no longer required to keep must be deleted under DPA 2018. iTrent has simple ways to make sure no data is kept illegally. You can set mass-scale data retention rules, or unique rules for a specific person or organisation. For example, you could retain personnel records for an employee who has an ongoing claim against your organisation.

Privacy policy

No one should be expected to input personal data to your HR system without understanding why you are collecting the data, what you are going to do with it and on what legal basis you are processing it. To make sure this happens, upload your privacy policy to iTrent and prompt users to read and approve. All approvals of your privacy policy are recorded and can easily be audited if there’s a breach.

Audit reporting

Track how your data is handled and boost data security with iTrent’s Audit User Journey. Every time an employee uses your data systems, a timeline of the session is created to show what they accessed and how they used the data. This makes it easy to investigate the origin and nature of data downloads in line with your data protection obligations.

Integrate your data systems with iTrent

iTrent makes it easy to protect employee data in line with DPA 2018 because it brings HR and payroll data into a unified system. Users have peace of mind that their employee information is in one secure place and they save hours of time on data administration.

With an integrated data system, you don’t have to enter data multiple times, there’s no need to cross reference between two data stores, and you can trust that any data you’ve deleted isn’t still sitting on another system without you knowing.

GDPR Awareness Course

Get certified in GDPR and meet all your data obligations with our hassle-free online course.

Find out more about GDPR training

Employee self-service helps get data right


Employees can enter and update their own personal details in iTrent, making the data you collect more accurate. Tools like our virtual HR assistant are quick and easy for employees to use and can be accessed on the go.

HR Chatbot

Book an iTrent demo today



See how iTrent has all the right tools to keep you in line with data protection rules. A free demonstration with no obligations can be run either online or on site, at a time that's convenient to you. You'll see and hear everything you need to know from one of our experts.

Book a demo

HR & Payroll Glossary: What is employee onboarding?


When you welcome a new employee to your team, there's a checklist of compliance that you have to get right - from collecting their personal data, to making sure they accept certain policies like health and safety. Make sure you tick all the boxes with our onboarding advice page.

Employee Onboarding

HR & Payroll Glossary: What is iTrent electric?


The iTrent Electric theme is MHR's new user interface for the iTrent HR & payroll system.

The Electric theme is designed to transform the employee and manager experience of iTrent. It's responsive, has a streamlined navigation, consolidated homepage, convenient quick links and a drastic reduction of forms, significantly increasing the speed and efficiency of everyday HR tasks.

iTrent Electric
Request a demo