UK GDPR and Employee Data: Complete Employer Compliance Guide

Every piece of employee data you hold — from payroll records and performance reviews to sickness absence notes and CCTV footage — is regulated by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Non-compliance carries fines of up to £17.5 million or 4% of annual global turnover, whichever is higher. But beyond the headline penalties, the most common impact of poor data protection is the cost and disruption of handling subject access requests and the reputational damage of a data breach.

This guide covers the data protection obligations that apply specifically to the employment context, with practical steps for compliance.

The legal framework

UK GDPR (the retained EU GDPR, as amended by the Data Protection Act 2018) sets the rules for processing personal data. The Information Commissioner's Office (ICO) is the regulator responsible for enforcement.

As an employer, you are the "data controller" for your employees' personal data — you determine the purposes and means of processing. This brings a comprehensive set of obligations.

What counts as employee data

Employee data covers far more than you might expect. It includes everything from the obvious — names, addresses, payroll records, bank details — to the less obvious but equally regulated.

Special category data

Certain types of data receive extra protection under UK GDPR. In the employment context, the most common special category data is health information (sickness records, occupational health reports), trade union membership, racial or ethnic origin (diversity monitoring), and criminal conviction data (DBS checks).

Processing special category data requires both a lawful basis under Article 6 and a separate condition under Article 9. For most employment purposes, this is typically the employment condition (Article 9(2)(b)) — processing is necessary for the purposes of carrying out obligations and exercising specific rights in employment law.

Lawful basis for processing

Every instance of processing employee data must have a lawful basis. The six bases under Article 6 of UK GDPR are:

1. Consent — the individual has given clear consent
2. Contract — processing is necessary for the employment contract
3. Legal obligation — processing is necessary to comply with the law
4. Vital interests — processing is necessary to protect someone's life
5. Public task — processing is necessary for a task in the public interest
6. Legitimate interests — processing is necessary for your legitimate interests, balanced against the individual's rights

Which basis for which purpose?

Privacy notices for employees

You must provide employees with a privacy notice explaining how their data will be processed. This should be provided at the start of employment (include it in your onboarding pack alongside the employment contract).

What the privacy notice must include

The notice must cover the identity and contact details of the data controller (your organisation), the contact details of your Data Protection Officer (if you have one), the purposes of processing and the lawful basis for each, the categories of personal data you hold, who you share data with (HMRC, pension providers, payroll processors, etc.), how long you retain data, the employee's rights (access, rectification, erasure, portability, etc.), the right to lodge a complaint with the ICO, and whether data will be transferred outside the UK.

Subject access requests (SARs)

Employees (and former employees) have the right to request a copy of all personal data you hold about them. This is called a subject access request, and it is one of the most practically significant data protection rights in the employment context.

Handling a SAR

You must respond to a SAR within one calendar month of receiving it. The clock starts when you receive the request — you cannot delay by asking for "clarification" unless the request is genuinely unclear.

Steps to handle a SAR:

1. Log the request and note the deadline
2. Search all systems — email, HR software, paper files, managers' notes, shared drives. The search must be thorough; overlooking documents is a common failing
3. Review for exemptions — you can withhold data covered by legal professional privilege, data that would reveal information about another identifiable person (unless they consent or it is reasonable to disclose without consent), and references given in confidence (but not references you received about the employee)
4. Redact third-party data where disclosure is not appropriate
5. Provide the data in a commonly used electronic format, with a covering letter explaining the search conducted and any exemptions applied

Cost and refusal

SARs are free of charge. You can charge a reasonable fee or refuse to comply only if the request is manifestly unfounded or excessive — a high bar that is rarely met. If you refuse, you must explain your reasons and inform the employee of their right to complain to the ICO.

Data breaches

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data. Common examples in the employment context include emailing payroll information to the wrong person, losing an unencrypted laptop containing HR records, a cyber attack on your HR system, and leaving personnel files in an unsecured location.

Breach notification

If a breach is likely to result in a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours of becoming aware of it. If the breach is likely to result in a high risk, you must also notify the affected individuals without undue delay.

Breach response steps

1. Contain the breach immediately — recover documents, revoke access, change passwords
2. Assess the risk — what data was compromised, how many people are affected, what is the likely harm?
3. Notify the ICO within 72 hours if the risk threshold is met
4. Notify affected individuals if the high-risk threshold is met
5. Document the breach, your assessment, and the actions taken — even if you decide notification is not required

Data retention

You must not keep personal data for longer than necessary for the purpose it was collected. This requires a data retention policy that specifies how long you keep each category of data and when it is securely deleted.

Recommended retention periods for employment data

After the retention period expires, securely delete or destroy the data. For electronic records, this means permanent deletion (not just moving to a recycle bin). For paper records, it means shredding.

Workplace monitoring

Monitoring employees — whether through email surveillance, CCTV, internet usage logging, or GPS tracking — is lawful under certain conditions but must comply with UK GDPR principles.

Requirements for lawful monitoring

You must have a legitimate purpose (such as preventing fraud, protecting confidential information, or ensuring compliance), conduct a data protection impact assessment (DPIA) if the monitoring is likely to result in a high risk to individuals, inform employees that monitoring takes place (through a clear monitoring policy and your privacy notice), process only the minimum data necessary, and regularly review whether the monitoring is still necessary and proportionate.

Covert monitoring (without the employee's knowledge) is only permissible in exceptional circumstances — typically where there is a reasonable suspicion of criminal activity and informing the employee would prejudice the investigation. Even then, it must be time-limited, targeted, and authorised at senior level.

International data transfers

If you use cloud-based HR software, payroll providers, or other processors based outside the UK, you may be transferring employee data internationally. Transfers to countries without an adequate level of data protection require additional safeguards such as standard contractual clauses (SCCs) or binding corporate rules.

Check where your HR and payroll systems store and process data. If any processing occurs outside the UK, ensure appropriate transfer mechanisms are in place.

Frequently asked questions

Next steps

Key takeaways

UK GDPR compliance is not a one-off exercise — it requires ongoing attention to how you collect, use, store, and delete employee data. Start with a clear privacy notice, establish the correct lawful basis for each type of processing, have a process for handling subject access requests within the one-month deadline, and implement a data retention schedule. Ensure your payroll data processing (including PAYE RTI submissions) is secure, and train all managers who handle employee data on their responsibilities.

The ICO provides detailed guidance specifically for employers on its website, and investing time in compliance now is far cheaper than dealing with an investigation or data breach later.