UK GDPR in employment: what every employer must know

UK GDPR (the UK's post-Brexit version of the EU GDPR) governs how employers handle employee personal data. The Information Commissioner's Office (ICO) enforces it.

Lawful basis for processing employee data

Every processing activity needs a lawful basis under Article 6(1):

• (b) Performance of a contract — pay, holidays, references, benefits.
• (c) Legal obligation — statutory reporting, NMW records, PAYE, right-to-work checks.
• (f) Legitimate interests — limited workplace monitoring, IT security.

Consent (Article 6(1)(a)) is rarely appropriate as a basis in employment because of the power imbalance — employees cannot freely refuse.

For special category data (health, racial origin, religious belief, trade union membership), an additional Article 9 basis is required — typically employment, social security or social protection obligations.

Employee monitoring

Employers can monitor employees at work, but must:

• Tell employees what is monitored and why — usually in an IT and monitoring policy.
• Have a documented purpose for the monitoring.
• Conduct a Data Protection Impact Assessment (DPIA) for high-risk monitoring (CCTV, keystroke logging, productivity software).
• Apply data minimisation — only collect what is necessary.

Covert monitoring is permitted only in narrow circumstances (suspected criminal activity) and should be time-limited.

Retention periods

There is no single statutory retention period for employment records. ICO guidance and standard practice:

• Personnel files: during employment + 6 years (or 7 in some sectors).
• Payroll records: 6 years (PAYE) / 3 years (NMW evidence — 6 years is safer).
• Disciplinary records: as long as the warning remains live, plus a defensible period. Once an expired warning's purpose is served, it should be reviewed for deletion.
• Right-to-work documents: 2 years after employment ends.
• Health and safety records: 3 years minimum (40+ years for hazardous-substance exposure).
• Pension records: while the pension is in payment.

Keeping data longer than necessary breaches the storage limitation principle.

Subject Access Requests (SAR)

Any individual can request access to all personal data held about them. The employee must be given:

• A copy of the data in a commonly used format.
• Information about how the data is used.
• The categories of recipients.
• The retention period.
• Their rights (rectification, erasure, etc.).

Timescale: respond within one month (can be extended by two further months for complex requests, with explanation).

Fee: generally none, unless the request is manifestly unfounded or excessive.

Data breaches

Personal data breaches likely to result in a risk to rights and freedoms must be reported to the ICO within 72 hours of becoming aware. High-risk breaches must also be communicated to affected individuals without undue delay.

A breach includes:

• Unauthorised access (a hacked email account, a lost laptop).
• Accidental disclosure (sending the wrong file to the wrong recipient).
• Loss of availability (a ransomware attack).

ERA 2025 considerations

The ERA 2025 does not directly amend UK GDPR, but the increased use of HR data (probation tracking, ERA timeline monitoring, statutory rate tracking) means employers should review their data flows and retention practices.

Official source: ICO — Employment Practices Code.