GDPR compliance

GDPR compliance

What is the GDPR

The General Data Protection Regulation, which came into effect on 25 May 2018, made significant changes to how organisations across the EU collect, store and process data.

What are HR’s

HR is the keeper of significant portions of employee personal data. Employers must put in place policies and procedures to ensure employee data is collected, stored and processed in line with the GDPR’s requirements.

How can HR help?

HR software is particularly valuable for organisations that collect and store employee data via insecure paper or Excel-based filing systems, which can often be out of date or at risk of security breaches. Specialist recruitment software can also help employers better manage data belonging to job applicants – which can often be held insecurely, and disjointedly, in email mailboxes or paper records.

GDPR – infographic

View headline findings from our recent GDPR survey

View the Survey results

How is Ciphr securing customers’ data?

As a trusted processor of our customers’ data, Ciphr has always taken steps to ensure that the appropriate technical measures are in place to deliver a secure environment for our solutions. We are always looking to enhance our security measures and have incorporated multiple layers of encryption technologies, protective monitoring and auditing solutions.

Our applications and infrastructure are regularly assessed by both internal and external vulnerability and penetration-testing programs using our internal Certified Ethical Hacker (CEH) resources, as well as through a partnership with several external CREST-accredited penetration testing organisations.

Ciphr’s internal security forum, led by our head of information security, meets regularly to review all the security measures we have in place – including associated policies and procedures – to ensure they are maintained appropriately. The forum also creates and delivers regular training and awareness sessions relating to all areas of information security for all Ciphr employees. All Ciphr employees are also background checked to a minimum of the BS7858 standard.

All our technical measures, policies and procedures are externally audited by the British Standards Institute (BSI) each year to validate our ongoing compliance with the Information Security Management System (ISO27001:2013) framework, which we have maintained since 2014.

To ensure we are fully compliant with the GDPR we have invested in external training to ensure we have certified GDPR practitioners within the security forum. We have also conducted specific audits to confirm our data and documents, including policies and procedures, are compliant with both the ISO27001:2013 framework and the GDPR.

Online HR systems

How Ciphr’s solutions can help HR teams comply with the GDPR

Use our data retention dashboard

Easily delete or anonymise records when their data retention periods expire

Request applicant consent

Ciphr iRecruit makes it simple to request consent from job applicants where you have determined that consent is required

Create GDPR

Restrict access to relevant fields for users with responsibility for GDPR


Document consent against employee records where you have determined that consent is required


Choose to anonymise leavers’ records instead of deleting them, so you retain access to useful metrics while remaining GDPR compliant

Create automatic notifications

Set up auto reminders to re-validate consent where consent is required

Enable self-service access

Comply with subject access requests (SARs) more easily by granting access to data for leavers and current staff, or through a data protection report

Define data
retention periods

Decide when records of leavers will be flagged for deletion or anonymisation

Manage applicants’ data more effectively

Download data, request consent extension, anonymise records and delete data via the dashboard

Implement policy acceptance

Confirm staff have read your GDPR-related policies


We would strongly recommend that you seek your own legal advice if you are unsure about the implications of data protection laws on your business.

The information contained on this website is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. While we have made every effort to ensure that the information provided on this document is correct and up to date, Ciphr makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. Ciphr will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information, or from any action or decisions taken as a result of using this information.