Irish SMEs may be unknowingly breaching GDPR and failing to meet Workplace Relations Commission (WRC) record-keeping requirements due to widespread gaps in how HR documents are stored, accessed, and governed. That is, according to new findings published from the Irish SME HR Report, by Ireland’s leading people management platform, HRLocker.
The report, based on responses from professionals working on HR in organisations employing 20–249 people, reveals that document disorder has become one of the most significant, yet preventable, compliance risks facing Irish businesses.
Two-thirds breach GDPR due to insecure HR data storage
Under Articles 5 and 32 of the EU’s General Data Protection Regulation (GDPR), employers must ensure the integrity, confidentiality, and security of employees’ personal data. Yet 66 per cent of SMEs continue to store HR documents in insecure systems, including general cloud folders (32 per cent), local hard drives (11 per cent), paper files (11 per cent) and email threads (9 per cent).
The Data Protection Commission has already investigated SMEs for similar failures. In a recently published case, an employer mishandled sensitive employment information during a data breach, prompting an official complaint and regulatory intervention. The DPC found that the organisation had not implemented adequate safeguards to protect employee data, providing a clear example of the real?world consequences of poor HR document governance. Under GDPR, failures of this kind can result in administrative fines of up to €10 million or 2 per cent of global turnover, as well as compensation claims from affected employees.
More than half failing to comply with data protection regulations
The report highlights that 59 per cent of SMEs lack accurate, formal version control, risking breaches of GDPR Article 5(1)(d), which requires organisations to maintain accurate and up?to?date employee records. Further, 56 per cent do not have a current retention policy for HR data, despite the GDPR storage limitation principle and obligations under the Data Protection Act 2018. Mid-sized SMEs (50–99 employees) are the least compliant, with over one-third (39 per cent) lacking any retention policy at all.
Without version control or retention schedules, SMEs cannot demonstrate compliance during WRC inspections or GDPR investigations, leaving them exposed to enforcement action, compensation claims, and costly remediation work.
More than one in three risks undermining accountability requirements
There is a clear lack of auditability in the sector, with 26 per cent of SMEs reporting that they do not maintain an audit trail for HR document access and changes. A further 27 per cent are unsure whether one exists, meaning more than one in three lack robust processes.
This lack and uncertainty place organisations at risk of breaching GDPR Articles 24 and 30, which require employers to demonstrate accountability and maintain clear records of processing activities. In the event of a data-access request, breach investigation, or WRC inspection, the absence of an audit trail can lead to immediate compliance failure.
Non-compliance carries real financial and operational consequences
Governance gaps fuelled by document disorder also undermine compliance with core Workplace Relations Commission (WRC) record-keeping obligations, including requirements to maintain accurate, accessible, and up-to-date records on:
Working hours
Annual leave and public holidays
Contracts and terms of employment
Payroll and remuneration
Disciplinary and grievance procedures
Under the Workplace Relations Act 2023, missing audit trails, outdated files, or scattered storage systems can result in fixed-payment notices of up to €2,000 per offence, in addition to compensation awards to employees and orders to rectify records at the employer’s expense. These costs come on top of business disruption during follow-up inspections and reputational damage that undermines employee trust.
A preventable crisis
“The SME community’s commitment to compliance legislation cannot be understated. However, our research shows that many organisations are unintentionally exposing themselves to GDPR breaches, data protection obligations and WRC non-compliance simply because their HR document-management practices haven’t kept pace with modern requirements,” said Crystel Robbins Rynne, CEO of HRLocker.
“Despite SMEs’ best intentions, a lack of resources, adequate management processes, and tech enablement is leading to major implementation issues. These risks carry real financial and operational consequences. But they are entirely preventable. With the right HR systems and governance in place, SMEs can ensure compliance and reduce risk, adding layers of organisational resilience.”
Irish SMEs seeking to understand how to reduce HR document disorder and improve compliance can download HRLocker’s latest whitepaper, The Real Cost of Manual HR for Irish SMEs, at https://www.hrlocker.com/downloads/
See more stories here.
