GDPR and HR Data: What UK Employers Must Do
HR functions handle some of the most sensitive personal data in a business: medical records, disciplinary histories, bank details, performance reviews, immigration documents. GDPR and the UK Data Protection Act 2018 impose specific obligations on how this data is collected, stored, and used.
The legal basis for processing HR data is typically either contractual necessity (data you need to fulfil the employment contract) or legitimate interests (data you have a genuine business reason to hold). Special category data — health, ethnicity, religion, trade union membership — requires a higher standard: explicit consent or another specific legal basis, plus a Data Protection Impact Assessment if the processing is high-risk.
Employees have the right to see their own data via a Subject Access Request (SAR). You must respond within one month. They can also request deletion of data that is no longer necessary — though this right is limited where you have legal retention obligations (payroll records must be kept for at least three years, for example). Mellow's data store logs when data was collected and why. Retention periods are configurable. SAR responses are produced from the export function, not from pulling data manually out of multiple systems.