All articles
Compliance Global

GDPR and HR Data: What UK Employers Must Do

Mellow HR Team·1 min read

HR functions handle some of the most sensitive personal data in a business: medical records, disciplinary histories, bank details, performance reviews, immigration documents. GDPR and the UK Data Protection Act 2018 impose specific obligations on how this data is collected, stored, and used.

The legal basis for processing HR data is typically either contractual necessity (data you need to fulfil the employment contract) or legitimate interests (data you have a genuine business reason to hold). Special category data — health, ethnicity, religion, trade union membership — requires a higher standard: explicit consent or another specific legal basis, plus a Data Protection Impact Assessment if the processing is high-risk.

Employees have the right to see their own data via a Subject Access Request (SAR). You must respond within one month. They can also request deletion of data that is no longer necessary — though this right is limited where you have legal retention obligations (payroll records must be kept for at least three years, for example). Mellow's data store logs when data was collected and why. Retention periods are configurable. SAR responses are produced from the export function, not from pulling data manually out of multiple systems.

GDPRHR datadata protectionICOsubject access request

Do more with the team you have

Mellow is AI-native HR & payroll that helps you invest in your people, not just manage headcount — across six countries. No credit card required.

Start free trial →

Related articles