The HR and people leader's guide to GDPR

Find out with our essential 6-step checklist.

Get it now

Still getting your head around GDPR? We've pulled together everything you need to know, so HR and People teams have all the essential resources they need.


What is the GDPR?

The General Data Protection Regulation ('GDPR') is due to come into effect on May 25, 2018. The GDPR sets out new responsibilities businesses have in relation to the personal data they collect, hold and process.


The HR challenge

Employees generate a large amount of personal data that HR must collect, store and manage. As the employer and data controller it’s your responsibility to determine the purposes of your employee data in line with the GDPR.


Who does the GDPR apply to?

The new regulation sets out minimum requirements and does not only apply to organizations located within the EU, but also applies to organizations who process data in relation to EU data subjects.

Key GDPR considerations for HR and People teams

As the date of the GDPR approaches, it’s time for HR and People teams to look closely at how they manage their employee data processing. Here are some of the key considerations for you, as the employer and data controller, to think about.


Right to be forgotten

Employees can request that their personal data be deleted in certain circumstances. This right requires you to ensure the irretrievable removal of deleted data.


Portability of data

Employees can obtain a copy of their personal data in a structured, commonly used and machine readable format for their own purposes.


Restriction of processing

Employees can request that there be a restriction placed on the processing of their personal data. You are permitted to store the personal data, but no longer process it.


Consent management

Should be freely given, and needs to be specific, informed and unambiguous. You need to gain explicit consent from employees for the use of their personal data.

6 steps to GDPR-readiness

HR and People teams will need to thoroughly review how they manage employee data and requests. We’ve identified six key steps to help prepare your HR and People teams for GDPR before May 25.

Download eBook now

How Sage Business Cloud People can help HR and People teams

We are committed to our customers' success, including GDPR readiness. Learn how our HR and People system can keep data secure while making processes more efficient.


Tailor communications

Send tailored communications and privacy notices to keep your employees informed.


Manage processes efficiently

Manage consent and data requests easily with automated workflows and processes.


Employee self‑service

Allow employees to access and update their data via a self-service portal.


Retain and export data

Easily identify and export personal data so that employees can take their information with them.


Data anonymization and deletion

Systematically flag data that needs to be either deleted or anonymized.


Keep data secure

Protect data with configurable user access permissions, and built on the Salesforce App cloud the world's most trusted cloud platform.

The Sage Business Cloud People system helps you improve workforce visibility by automating people processes and enabling data reporting and analytics.

Book a demo

Frequently asked questions

These FAQs sets out some commonly asked questions asked by Sage Business Cloud People’s clients and our response.

What types of data do you store?

That’s up to you. Obviously, the information you require on your potential, current and former employees. You have access to fully customizable set of information fields that can be customized to ensure you collect only the minimum data necessary for your purposes, but still ensure the data is complete, adequate and accurate for your needs. Providing user self-service portals reduces your administrative overhead by allowing individuals to enter and update their own data.

+ View answer

Where is my data stored?

We use the Salesforce platform to host your data. Our partner operates a highly resilient cloud infrastructure that we have built the Sage Business Cloud People system upon. The infrastructure can be configured to be hosted locally within Europe or globally.

+ View answer

Does my data move internationally?

Where global requirements are in place it is the company’s obligation to notify EU citizens of transfer outside of the EU and ensure adequacy measures are in place. The Salesforce platform operates mechanisms such as Privacy Shield and BCRs to legitimize international transfers and we are proud to hold TRUSTe’s Privacy Seal. Sage legal has introduced a suite of inter-company Global Data Processing and Transfer Agreements, which incorporate the requirements of the GDPR and include the use of the EC Standard Contractual Clauses for transfers of data outside the EEA. These agreements facilitate the secure movement of personal data around the Sage group of companies whilst ensuring that all processing activities comply with the GDPR.

+ View answer

How can your system assist my GDPR compliance?

We appreciate that you are the Data Controller and we are a Data Processor, and therefore we have undergone a program to make sure that our contracts reflect our obligations to you and reflect all the GDPR requirements that apply to processors. Beyond that we have performed Product Privacy Impact Assessments to identify opportunities where we can introduce functionality that makes your job as the data controller easier, and have designed a product that enables appropriate privacy by design and default.

+ View answer

How does the system help me to inform my users?

The organization can provide internal communications and access to policies and procedures in order to display privacy policies and fair processing notices to individuals who have their data held.

+ View answer

What if individuals put in requests for their rights, such as subject access?

You as the controller, will receive and process all requests, however we can make this easier for you. The product features a self-service interface which ensures that users have access to their own data, and users can access and update their own information as required. In addition, the reporting capabilities can be used to retrieve more comprehensive reports in the event of a formal access request. Data can be managed at a granular level in the event of a rectification or erasure request.

+ View answer

Who do you disclose data to?

That’s up to you. Data from the hub network feeds into an export interface called the Sage People Payflow, a cloud-based system that provides feeds into external systems, such as benefits partners and payroll providers. Access and integration to personal data is controlled entirely by choices made by the business.

+ View answer

How long do you keep data?

Personal data may be retained for the duration of the business relationship, and retained or removed as required by law. Granular control of retention and deletion is available, where you wish to create policies to control the retention and deletion of data for each item. Sage Business Cloud People has further information available on how long it retains data including back-up and recovery information, available on request.

+ View answer

How is my data kept securely?

We operate appropriate security including combinations of physical, organizational and technical controls. The model is for all information is to be hosted by the Salesforce platform in a self-contained access controlled virtually separated ‘org’. All access requests are separated with clear role based access and transactions accompanied by “org ID” that prevents access to other company’s information. Find out more information on the Salesforce platform security measures and certifications at

+ View answer

What is the wider Sage brand doing?

Sage has a project team who are focusing on the implementation of GDPR, and which is endorsed by the Sage Board. In addition, Sage has robust governance procedures in place to manage the implementation of GDPR including a Data Governance Committee comprising many key stakeholders to ensure all areas of our business will be ready for GDPR from the date of enforcement in May 2018. Learn more about Sage GDPR preparations. For more information see

+ View answer

What if it all goes wrong and there is a security breach?

In the unlikely event of a breach, Sage has established a global incident reporting policy and supplementary procedures, supported by Sage's risk team, enabling consistent rating and internal escalation (as required) of incidents, including those which may involve personal data.

+ View answer

Where can I go for more information?

More information on the GDPR can be obtained from;

The text of the GDPR:

The UK’s regulator the Information Commissioner:

The EU guidance form the Article 29 working party:


Take a look at our full list of frequently asked questions about the incoming GDPR.


+ View answer
View all questions

Read through more of our GDPR resources

Here you’ll find a range of resources with more information to help you on your way to being GDPR ready.

6 Steps to GDPR-readiness

6 steps to GDPR-readiness

Learn more about what GDPR means for HR in this helpful eBook, 6 steps to GDPR readiness.

Download eBook
8 things HR can do

8 things HR can do to be GDPR ready

Here you’ll find a range of resources with more information and to help you on your way to being GDPR ready.

Read More


These FAQs sets out some commonly asked questions asked by Sage Business Cloud People’s clients and our response.

Download PDF
8 things HR can do

On-demand webinar

As gatekeepers and processors of personal employee data, HR and People teams have a critical role to play in the lead up to the new data protection regulations.

Read more

Sage disclaimer

The information contained in this webpage is for general guidance purposes only. It should not be taken for, nor is it intended as, legal advice. We would like to stress that there is no substitute for customers and prospects making their own detailed investigations or seeking their own legal advice if they are unsure about the implications of the GDPR on their businesses.

While we have made every effort to ensure that the information provided on this website is correct and up to date, Sage makes no promises as to completeness or accuracy and the information is delivered on an “as is” basis without any warranties, express or implied. Sage will not accept any liability for errors or omissions and will not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of or reliance on this information or from any action or decisions taken as a result of using this information.

Wait - don't go!