All articles

Data protection for HR in the United Kingdom

Mellow Editorial·5 min read

Reviewed by Mellow Editorial Team, HR & payroll content team

Employers who handle personal data about workers must comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Failure to do so can result in enforcement action by the Information Commissioner's Office (ICO), including significant fines and reputational damage.

What counts as personal data in an HR context

Personal data is any information that can identify a living individual. In HR, that covers a wide range of material: names, addresses, national insurance numbers, bank details, salary records, performance reviews, disciplinary notes, absence records, and photographs.

Some categories attract stronger protection under UK GDPR. These are called special category data and include health and medical information, racial or ethnic origin, trade union membership, and biometric data. Most employers hold at least some special category data — sickness absence records being the most common example.

The six lawful bases, and which ones HR actually uses

You must have a lawful basis for every processing activity. UK GDPR lists six, but HR teams typically rely on three:

Legitimate interests — useful for background checks and fraud prevention, but you must document a balancing test showing your interests do not override the employee's rights.

Contract — processing a person's bank details to run payroll, or checking right-to-work documents before hiring, both fall here. This is the workhorse basis for routine employment administration.

Legal obligation — HMRC requires you to collect and report payroll data via Real Time Information (RTI), submitting a Full Payment Submission (FPS) on or before each payday. That statutory duty provides a clear lawful basis for holding payroll and tax records.

For special category data you need both a lawful basis and a separate condition under Schedule 1 of the Data Protection Act 2018. Processing health data to manage sickness absence, for example, typically relies on the employment law condition in that Schedule.

Consent is rarely the right basis for employee data. Because of the power imbalance between employer and worker, consent given in an employment context is difficult to show as freely given — meaning it may not hold up if challenged.

Transparency: what you must tell workers

The UK GDPR transparency requirements are among the most practically demanding obligations for HR. You must provide workers with a privacy notice covering:

- what data you collect and why

- the lawful basis for each processing purpose

- how long you retain the data

- whether you share it with third parties (payroll bureaus, pension providers, occupational health services)

- workers' rights, including the right to access, rectify, erase or restrict their data

The notice should be written in plain English and given at the start of employment — ideally as part of onboarding. Burying it in a staff handbook without drawing attention to it is unlikely to satisfy the standard.

Retention periods and the risks of holding too much

UK GDPR has no prescribed retention periods for most employment records. Instead, you set your own periods based on the purpose of processing and document your reasoning. Common practice is shaped by limitation periods under other law — HMRC generally expects payroll records to be kept for at least three years after the relevant tax year; employment tribunal claims can be brought within three months of dismissal (certain claims longer), which influences how long you keep disciplinary and grievance records.

The key risk is holding data indefinitely with no policy in place. A subject access request (SAR) from a former employee can expose this quickly. Workers have the right to receive a copy of all personal data you hold about them within one calendar month of the request, with limited extensions available.

Delete or anonymise data when the retention period expires. A documented retention schedule — even a simple spreadsheet mapping record type to retention period and deletion trigger — is good evidence of compliance if the ICO investigates.

Data security and third-party processors

If you use a payroll provider, pension platform or HR software vendor, UK GDPR requires you to have a written data processing agreement (DPA) in place with each of them. They act as processors on your behalf; you remain the controller and retain responsibility if they mishandle the data.

Practically, that means:

- checking any vendor you share personal data with can meet UK GDPR standards before you sign a contract

- ensuring the DPA is in place, not just referenced in general terms and conditions

- understanding where data is stored — transfers outside the UK require an appropriate safeguard such as an International Data Transfer Agreement (IDTA)

Internal security basics also apply: role-based access controls so only people who need payroll data can see it, audit trails on HR systems, and a documented process for responding to a data breach. Under UK GDPR, you must report certain breaches to the ICO within 72 hours of becoming aware of them, and notify affected individuals without undue delay where there is a high risk to their rights.

The Employment Rights Act 2025 has expanded day-one employment rights in several areas, which means employers are gathering more personal data about workers earlier in the employment relationship — making data minimisation and clear retention policies more important than before.

---

Run HR and payroll in United Kingdom with Mellow

Mellow brings HR, payroll and 12 AI agents into one platform — built to handle United Kingdom properly, with payroll included, from £4 per employee per month. The AI agents don't just answer questions; they generate contracts, run cost estimates and draft letters for you.

- See Mellow pricing

- United Kingdom payroll software

- Compare Mellow with Deel

[Start a free trial →](/register)

UKUnited KingdomGBcompliancerecords

Do more with the team you have

Mellow is AI-native HR & payroll that helps you invest in your people, not just manage headcount — across six countries. No credit card required.

Start free trial →

Related articles