Data Protection and Employees: GDPR Employer's Guide

As an employer, you process significant amounts of employee personal data. GDPR applies to all of it. Here's how to stay compliant.

Key GDPR Principles

When processing employee data, you must follow these principles:

1. Lawfulness, Fairness, Transparency

• Have a legal basis for processing
• Be fair in how you use data
• Tell employees what you do with their data

2. Purpose Limitation

• Collect for specified, explicit purposes
• Don't use for incompatible purposes later

3. Data Minimisation

• Only collect what you need
• Don't gather excessive information

4. Accuracy

• Keep data accurate and up to date
• Allow employees to correct errors

5. Storage Limitation

• Don't keep longer than necessary
• Have clear retention periods

6. Integrity and Confidentiality

• Keep data secure
• Protect from unauthorised access

7. Accountability

• Be able to demonstrate compliance
• Document your practices

Legal Bases for Employee Data

Contract Performance

Most employment data processing:

• Paying wages
• Managing absence
• Performance management
• Benefits administration

Legal Obligation

Where law requires it:

• Tax and NI records
• Pension auto-enrolment
• Right to work checks
• Health and safety records

Legitimate Interests

For business needs (balanced against employee rights):

• Internal communications
• Business planning
• Training records
• Some monitoring

Consent

Use sparingly for employees. Consent isn't truly "free" when there's a power imbalance. Avoid relying on consent where another basis applies.

Possible for:

• Optional benefits
• Social events
• Photo consent for marketing

What Data Can You Collect?

At Recruitment

Can Collect	Notes
CV and application	For assessment
Interview notes	Keep factual
References	After offer made
Right to work	Required by law
Health questions	Only after offer, if relevant to role

During Employment

Can Collect	Legal Basis
Personal details	Contract
Pay and benefits	Contract
Absence records	Contract/Legitimate interests
Performance records	Legitimate interests
Training records	Legitimate interests
Disciplinary records	Legitimate interests

Special Category Data

Extra restrictions apply to:

• Health information
• Trade union membership
• Racial or ethnic origin
• Political opinions
• Religious beliefs
• Genetic/biometric data
• Sexual orientation

Only process if:

• Necessary for employment law obligations
• Employee has given explicit consent
• Other specific condition applies

Privacy Notice for Employees

What to Include

Tell employees:

1. Who you are (data controller details)
2. What data you collect
3. Why you collect it (purposes)
4. Legal basis for each purpose
5. Who you share it with
6. How long you keep it
7. Their rights
8. How to complain

When to Provide

• At recruitment (for candidates)
• At onboarding (for new employees)
• When purposes change

How to Provide

• Staff handbook
• Intranet
• Separate privacy notice
• Make it accessible

Subject Access Requests (SARs)

What Employees Can Request

Any employee (or former employee) can request:

• Confirmation you hold their data
• A copy of their personal data
• Information about how it's processed

Your Obligations

Requirement	Detail
Time limit	One month (can extend to 3 for complex)
Format	Electronic if requested electronically
Cost	Free (unless excessive/repetitive)
Identity check	Verify it's really them

What to Provide

• All personal data in your systems
• Emails about them
• Personnel files
• Absence records
• Performance reviews
• Disciplinary records
• Occupational health reports (usually)

What You Can Withhold

• Third party personal data (without consent)
• Legal professional privilege
• Management forecasting (in some cases)
• Confidential references you gave
• Data covered by other exemptions

Handling a SAR

1. Acknowledge within a few days
2. Verify identity if needed
3. Search all systems (including emails, archives)
4. Review and redact third party data
5. Compile response
6. Send within deadline
7. Document what you provided

Data Retention

General Principle

Keep data only as long as necessary for the purpose collected.

Typical Retention Periods

Record Type	Suggested Retention
Recruitment records (unsuccessful)	6-12 months
Personnel files	6 years after leaving
Payroll records	6 years after relevant tax year
Pension records	6 years after benefits end
Health and safety	3 years (longer for serious incidents)
Working time records	2 years
Training records	6 years after leaving
Disciplinary (spent)	Depends on type

Create a Retention Policy

Document:

• What records you keep
• How long you keep them
• When and how you delete them
• Who is responsible

Employee Monitoring

General Rules

You can monitor employees but must:

• Have a legitimate reason
• Be proportionate
• Tell employees (in most cases)
• Balance your needs against privacy
• Document your decision

Types of Monitoring

Email and internet:

• Tell employees it happens
• Explain what you monitor and why
• Access work emails only when necessary

CCTV:

• Display signs
• Only in appropriate areas (not toilets/changing)
• Delete footage when no longer needed

GPS tracking:

• Only for work vehicles during work time
• Tell employees
• Don't track personal use

Call recording:

• Tell employees and callers
• Only if justified (training, quality, evidence)

What You Need

1. Policy explaining monitoring
2. Legitimate purpose
3. Data Protection Impact Assessment (for significant monitoring)
4. Employee notification
5. Proportionate approach

Data Sharing

With Third Parties

You may share employee data with:

• HMRC (legal obligation)
• Pension providers (contract)
• Payroll providers (legitimate interests with contract)
• Occupational health (legitimate interests)

Requirements for Sharing

• Have a legal basis
• Data processing agreement with processors
• Tell employees in privacy notice
• Ensure adequate protection

International Transfers

If sharing outside UK/EEA:

• Ensure adequate protection
• Use standard contractual clauses
• Or other approved mechanism

Data Breaches

What Is a Breach?

Security incident leading to:

• Destruction of personal data
• Loss of personal data
• Alteration of personal data
• Unauthorised disclosure
• Unauthorised access

Examples

• Lost laptop with employee data
• Email sent to wrong person
• Hacking incident
• Paper files in unsecured bin

Your Obligations

Report to ICO within 72 hours if:

• Risk to individuals' rights and freedoms

Notify affected employees if:

• High risk to their rights and freedoms

Always:

• Document the breach
• Investigate
• Take steps to prevent recurrence

Employee Rights

Under GDPR, employees can:

Right	What It Means
Access	See their data (SAR)
Rectification	Correct inaccuracies
Erasure	Delete in some circumstances
Restriction	Limit processing
Portability	Get data in portable format
Object	Object to processing

Responding to Rights Requests

• Respond within one month
• Take them seriously
• Document your response
• Explain if you can't comply

Record Keeping

What to Document

• What data you process
• Why (purposes and legal bases)
• Who you share with
• Retention periods
• Security measures
• Data Protection Impact Assessments

Records of Processing Activities

If you have 250+ employees, you must maintain formal records. Smaller employers should keep records anyway as best practice.

Compliance Checklist

Policies and Notices

• Employee privacy notice
• Data protection policy
• Retention policy
• Monitoring policy
• Data breach procedure

Processes

• SAR handling process
• Secure storage of records
• Deletion process
• Breach response plan

Training

• Staff awareness of data protection
• Manager training on handling requests
• HR training on employee data

Documentation

• Records of processing activities
• Data processing agreements
• Consent records (where used)
• DPIA records