Quick Answer: What Security Features Should HR Software Have?
At a minimum, UK HR software should provide:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256)
- Access controls: Role-based permissions limiting who sees what
- UK/EEA data residency: Employee data stored in the UK or EEA
- Audit trails: Complete log of who accessed and changed data
- GDPR compliance tools: Data export, deletion, and consent management
- Regular backups: Automated with tested recovery procedures
- Two-factor authentication: For admin and manager accounts
Why HR Data Security Matters
HR software contains some of the most sensitive data in any organisation:
- Personal identifiers (names, addresses, National Insurance numbers)
- Financial information (bank details, salary data)
- Health data (sickness records, OH reports, disability status)
- Protected characteristics (age, ethnicity, disability, religion)
- Legal documents (contracts, disciplinary records, tribunal correspondence)
Under UK GDPR, this data includes both personal data and special category data (health, religion, ethnicity), which requires enhanced protection.
The Cost of Getting It Wrong
- ICO fines: Up to £17.5 million or 4% of global turnover for serious GDPR breaches
- Employee claims: Individuals can claim compensation for distress caused by data breaches
- Reputational damage: Loss of employee trust and potential difficulty attracting talent
- Operational disruption: Incident response, investigation, and remediation costs
GDPR Compliance Requirements
Lawful Basis for Processing
HR data processing typically relies on:
- Contractual necessity: Processing needed to fulfil the employment contract
- Legal obligation: Processing required by law (tax, pension, right-to-work)
- Legitimate interest: Processing needed for legitimate business purposes (performance management, workforce planning)
- Consent: Only for processing not covered by the above (e.g. marketing photos)
Employee Privacy Notices
Your HR software should support providing employees with clear information about:
- What data is collected and why
- How long data is retained
- Who has access to their data
- Their rights (access, rectification, erasure, portability)
- How to make a data subject access request
Data Subject Access Requests (DSARs)
Employees have the right to request a copy of all personal data you hold about them. Your HR software should allow you to:
- Export all data relating to a specific employee
- Include data from all modules (leave, absence, performance, training)
- Respond within the statutory 30-day deadline
Right to Erasure
When an employee leaves and the retention period expires, you must be able to permanently delete their data. Your HR software should support:
- Configurable retention periods by data type
- Scheduled deletion reminders
- Complete data removal (not just deactivation)
- Audit trail of deletion actions
Evaluating Vendor Security
Key Questions for Vendors
- Where is employee data stored? (Must be UK or EEA for straightforward compliance)
- What encryption is used? (TLS 1.2+ in transit, AES-256 at rest)
- How are backups managed? (Frequency, location, encryption, tested recovery)
- What access controls are available? (Role-based, field-level, IP restriction)
- Do you have SOC 2 or ISO 27001 certification?
- What is your incident response procedure? (Notification timeline, escalation)
- How do you handle data subject access requests?
- What happens to our data if we leave? (Export format, deletion timeline)
- Do sub-processors have access to data? (Who, where, and why)
- What is your vulnerability management programme? (Penetration testing, bug bounty)
Red Flags
- Data stored outside the UK/EEA with no adequate safeguards
- No SOC 2, ISO 27001, or equivalent certification
- Unable to provide a clear data processing agreement
- No incident response plan or notification procedure
- Shared database architecture (your data mixed with other customers)
- No option for two-factor authentication
- Data export not available in standard formats
Access Control Best Practices
Role-Based Access
| Role | What They Should See |
|---|---|
| Super Admin | Everything (restricted to 1-2 people) |
| HR Manager | All employee records, reports, configuration |
| Line Manager | Their direct reports only |
| Employee | Their own data, team calendar, policies |
Principle of Least Privilege
Only grant the minimum access needed for each role. Review permissions quarterly and remove access when roles change.
Manager Transitions
When an employee changes manager or department, update permissions immediately. The old manager should lose access to the employee's records.
Data Retention
Recommended Retention Periods for UK HR Data
| Data Type | Retention Period | Basis |
|---|---|---|
| Payroll records | 6 years after end of employment | HMRC requirements |
| Tax records (P45, P60) | 6 years | HMRC requirements |
| Recruitment records (unsuccessful) | 6 months | ICO guidance |
| Sickness and absence records | 3 years after end of employment | Limitation Act 1980 |
| Disciplinary records | Duration of employment + 6 years | Limitation Act 1980 |
| Training records | Duration of employment + 3 years | Best practice |
| Right-to-work documents | Duration of employment + 2 years | Immigration Act 2014 |
| Health surveillance records | 40 years from last entry | COSHH Regulations |
How Grove HR Handles Security
- UK data hosting with enterprise-grade cloud infrastructure
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Role-based access controls with field-level permissions
- Full audit trails showing every access and change
- DSAR support with one-click employee data export
- Configurable retention with scheduled deletion reminders
- Regular backups with tested disaster recovery
- Two-factor authentication for all admin accounts
Protect your employee data with Grove HR.
Tags:
hr software securityGDPRdata protectionencryptionaccess controls
The Grove Team
Grove HR
The Grove Team writes about HR best practices, compliance, and workplace culture for Grove. Helping UK businesses cultivate thriving teams.
