GDPR for employers: handling employee data correctly
Under UK GDPR, employers are data controllers in respect of their employees' personal data. This is not a technicality — it means you have specific legal obligations about what data you collect, why, how long you keep it, how you protect it, and what you do when employees exercise their rights. Employment data is some of the most sensitive a business handles, and the regulatory consequences of getting it wrong are significant.
The lawful basis for processing employee data varies by purpose. For the main employment relationship — running payroll, maintaining personnel files, administering leave — the lawful basis is typically "contract" (necessary for the performance of the employment contract) or "legal obligation" (required to comply with legal requirements such as PAYE and right to work checks). For optional benefits or communications, consent may be needed.
Special category data requires a higher standard. Health data, disability information, data about religious belief, trade union membership, and certain criminal conviction data are all special categories. Processing special category data requires both a UK GDPR lawful basis and an additional condition from Schedule 1 of the Data Protection Act 2018. For employers, the most commonly relied-upon Schedule 1 condition is employment law — processing necessary for employment purposes under the DPA.
Retention periods must be documented. How long do you keep a job application from someone who was not appointed? ACAS recommends six months. How long do you keep disciplinary records? Typically one to three years after the sanction expires, depending on severity. How long do payroll records need to be kept? HMRC requires payroll records for three years after the end of the tax year to which they relate; pension auto-enrolment records must be kept for six years. Right to work documents must be retained for two years after employment ends.
Data subject access requests from employees are one of the most common GDPR obligations employers face. An employee can request a copy of all personal data you hold about them. You have one month to respond (extendable to three months for complex requests). You must provide the data, explain the purpose and retention period, and identify any third parties with whom it has been shared. See our dedicated guide on data subject access requests from employees.
Data transfers to HMRC, pension providers, and insurers are routine and lawful under the employment contract basis. Data transfers to third-party payroll bureaux or HR outsourcers require a data processing agreement (DPA) — the bureau is acting as a data processor on your behalf.
Data breaches involving employee data must be considered for notification to the ICO. A breach is reportable where it is likely to result in a risk to the rights and freedoms of the individuals affected. A payslip sent to the wrong person, a spreadsheet with salary data accidentally emailed externally, or a personnel file accessed without authorisation — these are all potential reportable breaches.
See our right to work checks guide for how right to work data is stored, and HR policies guide for what data protection policies are required.
Mellow stores employee data securely with role-based access controls, handles data subject access requests, and provides GDPR-compliant data retention settings. [See Mellow pricing →](https://mellowhr.com/pricing)