Vertical guide · HR and employment

UK GDPR for HR and employers

Updated April 2026UK GDPR · DPA 2018ICO aligned

Every employer processes employee personal data subject to UK GDPR — from recruitment through to post-employment records. Payroll, sickness, performance management, right-to-work checks, and disciplinary records all require a documented lawful basis, appropriate transparency, and careful handling of data subject rights requests from current and former staff.

How to read this guide. This guide explains statutory requirements and regulatory expectations derived from UK GDPR, DPA 2018, and ICO published guidance. It does not determine compliance in any specific case. Where we write “UK GDPR requires” we cite statute. Where we write “the ICO expects” or “the ICO has indicated” we cite regulatory guidance, which is not identical to a statutory obligation. Both matter — but they are different things.

Processing employee data

The most common lawful basis for processing employee data is contract (Article 6(1)(b)) — processing necessary to perform the employment contract — and legal obligation (Article 6(1)(c)) — processing required by employment law or HMRC rules. Consent is rarely appropriate in the employment context because the power imbalance between employer and employee means consent is unlikely to be freely given. Legitimate interests may apply to some processing, but must be assessed carefully.

Source: UK GDPR Articles 6, 9; DPA 2018 Schedule 1; ICO employment practices guidance

Health and sickness data

Health data is special category data under Article 9. Processing sickness records, occupational health reports, and medical certificates requires both an Article 6 lawful basis and a separate Article 9 condition. The most relevant for employers are employment and social protection obligations (Article 9(2)(b)) and preventive occupational medicine (Article 9(2)(h)). Both must be documented separately in the ROPA.

Employee privacy notice

Every employer must provide employees with a privacy notice covering all processing activities, including payroll, performance management, CCTV, health data, and third-party disclosures. This must be provided before or at the start of employment. A customer-facing privacy notice does not satisfy this obligation. The notice must be updated when processing activities change materially.

Workplace monitoring

Monitoring employee communications — email, internet usage, call recording — involves processing personal data with a lawful basis, typically legitimate interests. Employees must be informed that monitoring is taking place; covert monitoring is permitted only in exceptional circumstances involving criminal investigation. The monitoring policy must be documented and proportionate.

SARs from employees

Employees have the same right of access as any data subject. Employee SARs frequently include performance reviews, disciplinary records, grievance files, and management emails. The one-month response deadline applies. Legal professional privilege may cover privileged legal advice obtained during a disciplinary process. A dated log of every employee SAR, the response, and any exemptions applied is essential.

Record this. Employee SARs, disciplinary processes, and employment tribunal proceedings all generate demand for documented evidence of how employee data was processed. Keep the employee privacy notice dated and version-controlled. A complete, dated evidence record is your primary protection in an ICO investigation triggered by a current or former employee.

Not legal advice. This guide is derived from UK GDPR (Data Protection Act 2018 / DUAA 2025) and ICO published guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.