Survey points to insecure data storage and missing audit trails as key vulnerabilities for employers.
Irish SME businesses are facing significant and avoidable compliance risks as outdated HR document practices leave many exposed to breaches of data protection law and Workplace Relations Commission rules.
Findings from the HRLocker’s Irish SME HR Report show that gaps in how HR files are stored and governed have become a major pressure point for employers with between 20 and 249 staff. The study highlights that many businesses believe they are operating compliantly, yet the systems they use fall short of what regulators expect.
“Organisations are unintentionally exposing themselves to GDPR breaches, data protection obligations and WRC non-compliance simply because their HR document management practices have not kept pace with requirements”
The report identifies data security as one of the most pressing concerns. Two thirds of respondents still store HR files in unprotected locations such as general cloud drives, local hard disks, paper folders or email chains. Under Articles 5 and 32 of the EU’s General Data Protection Regulation, employers must ensure that employee information is secure and handled in a controlled way.
The cost of failure
HRLocker pointed to a recent Data Protection Commission case where an employer was found to have mishandled sensitive staff information during a breach. The regulator concluded that safeguards were insufficient, prompting an intervention that the company was required to address. Failures of this kind can carry potential fines of up to €10m or 2% of global turnover.
The study also highlights issues with accuracy and data lifecycle management. More than half of SMEs surveyed lack formal version control for HR documentation, putting them at risk of breaching GDPR rules requiring records to be current and correct.
A further 56% do not have a retention policy, despite legal obligations to dispose of information once it is no longer required. Mid-sized SMEs are the least prepared, with 39% reporting no policy at all.
Auditability is another concern. One in four organisations say they do not maintain a record of who has accessed or updated HR files. A further 27% are unsure if such a trail exists. The absence of clear logs can place employers in breach of GDPR accountability requirements and can complicate responses to data access requests or regulatory inspections.
Weak document controls also present problems for meeting Workplace Relations Commission obligations. Employers are required to keep accurate and accessible records of working hours, annual leave, contracts, pay and disciplinary processes.
Under the Workplace Relations Act 2023, failure to produce these records can trigger fixed payment notices of up to 2,000 euro per offence, along with orders to put systems in order and potential compensation to affected employees.
Crystel Robbins Rynne, chief executive of HRLocker, said many employers are committed to compliance but lack the tools and processes needed to meet modern standards.
“Our research shows that organisations are unintentionally exposing themselves to GDPR breaches, data protection obligations and WRC non-compliance simply because their HR document management practices have not kept pace with requirements,” she said.
“These risks carry real financial and operational consequences. With the right systems and governance in place, SMEs can ensure compliance and reduce risk, adding layers of organisational resilience.”
-
Bank of Ireland is welcoming new customers every day – funding investments, working capital and expansions across multiple sectors. To learn more, click here
-
For support in challenging times, click here
-
Listen to the ThinkBusiness Podcast for business insights and inspiration. Latest episodes here. You can also listen to the Podcast on:
-
Spotify
-
SoundCloud
-
Apple
