GDPR for HR in 2026: UK Compliance Guide

Ensuring compliance with data protection law is now a core HR governance function. HR departments process large volumes of highly sensitive personal data throughout the employee lifecycle, from recruitment and onboarding to performance management, absence handling and termination. That exposure creates regulatory risk under the UK GDPR and the Data Protection Act 2018 (DPA 2018), alongside potential employment tribunal and reputational consequences.

This guide provides a structured 2026 authority overview of GDPR for HR, explaining the legal framework, lawful bases for employee data processing, special category data rules, employee rights, monitoring obligations and breach response requirements. It is written for UK employers seeking to embed defensible, documented and risk-aware HR data practices.

What this article is about:
A comprehensive employer-focused explanation of how UK GDPR applies to HR functions, including high-risk areas such as sickness records, criminal background checks, AI-driven recruitment tools and employee monitoring, with clear guidance on lawful processing and accountability.

Section A: Legal Framework Governing GDPR for HR

HR compliance begins with a clear understanding of the statutory framework. Data protection obligations are not optional administrative policies. They are binding legal duties enforceable by the Information Commissioner’s Office (ICO), with substantial financial and operational consequences for breach.

1. UK GDPR and the Data Protection Act 2018

In the UK, data protection law is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The UK GDPR sets out the core rules on lawful processing, data subject rights and organisational accountability. The DPA 2018 supplements the UK GDPR by providing additional conditions, exemptions and enforcement provisions, including rules concerning employment data and criminal records information.

The ICO is the UK’s independent supervisory authority responsible for enforcing data protection law. It has powers to issue enforcement notices, conduct investigations and audits, and impose administrative fines. For serious breaches, fines can be up to £17.5 million or 4% of global annual turnover, whichever is higher.

For employers, enforcement risk is not theoretical. HR records frequently contain health information, disciplinary findings, diversity data and background checks. Mishandling such data can trigger regulatory investigation as well as claims for compensation under section 168 DPA 2018 for material or non-material damage, including distress. There can also be criminal exposure in extreme cases, for example where personal data is knowingly or recklessly obtained or disclosed without the consent of the controller in circumstances that fall within the DPA 2018 offences.

Section summary: HR teams must treat UK GDPR compliance as a legal governance requirement supported by the DPA 2018 and subject to ICO oversight, not as a discretionary policy choice.

2. The Data Protection Principles (Article 5 UK GDPR)

All HR data processing must comply with the seven core principles in Article 5 UK GDPR:

• Lawfulness, fairness and transparency – processing must have a lawful basis and be carried out in a way that individuals would reasonably expect.
• Purpose limitation – data must be collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
• Data minimisation – only data that is adequate, relevant and limited to what is necessary may be processed.
• Accuracy – personal data must be accurate and kept up to date.
• Storage limitation – data must not be kept longer than necessary for the purposes for which it was processed.
• Integrity and confidentiality – appropriate technical and organisational measures must protect personal data against unauthorised or unlawful processing, loss or damage.
• Accountability – the organisation must be able to demonstrate compliance with all of the above principles.

For HR functions, the accountability principle is particularly significant. It requires documented policies, retention schedules, records of processing activities and evidence of decision-making where balancing tests are relied upon.

Section summary: The Article 5 principles form the backbone of GDPR for HR. Compliance is not limited to having policies in place. It requires demonstrable and documented adherence across the employee lifecycle, including recruitment stages governed by wider recruitment law obligations.

3. The Employer as Data Controller

In most employment relationships, the employer acts as the data controller. This means the employer determines why personal data is processed and how personal data is processed, including decisions tied to the employment contract and wider workforce governance.

Payroll providers, occupational health providers and HR software platforms will typically act as data processors, processing data on behalf of the employer under a written contract.

Article 28 UK GDPR requires that processor contracts include mandatory clauses governing confidentiality, security, sub-processing and assistance with data subject rights. HR departments should ensure that contracts with outsourced providers reflect these statutory requirements and that practical workflows are in place to support SAR handling, breach response and secure deletion.

Importantly, responsibility for compliance remains with the employer as controller. Liability cannot be outsourced. This is particularly important where HR processes equality and recruitment data, because poor controls can intersect with other legal risks such as recruitment discrimination allegations and the handling of sensitive evidence.

Section summary: Employers are legally responsible for HR data processing decisions, even where third-party service providers are involved. Controller accountability is central to GDPR for HR.

Section B: Lawful Processing of Employee Data

Lawful processing is the foundation of GDPR for HR. Every item of personal data held within an HR function should be supported by a clearly identified lawful basis under Article 6 UK GDPR. Where special category data is involved, an additional Article 9 condition must also apply, and in some cases a supporting Appropriate Policy Document under the Data Protection Act 2018. Failure to identify and document these bases increases regulatory exposure and weakens the employer’s position if challenged by the ICO or in the context of employment disputes.

1. Article 6 lawful bases in the employment context

HR departments most commonly rely on contractual necessity, legal obligation and legitimate interests. Consent exists as a lawful basis, but in employment relationships it will rarely be appropriate due to the imbalance of power between employer and employee.

Contractual necessity
Processing is lawful where it is objectively necessary for the performance of a contract with the employee, or to take steps at the request of the individual before entering into a contract. In practice, this can include processing needed to administer pay, benefits, working time, contractual policies, and other workforce arrangements linked to the employment relationship. The necessity test is strict. Processing must be genuinely required to perform the contract. It is not enough that processing is convenient or that it supports a preferred management approach.

Legal obligation
Employers frequently rely on legal obligation where processing is necessary to comply with statutory duties. For example, HR may need to process employee data to administer statutory sick pay, comply with HMRC reporting requirements, meet health and safety record keeping duties, or satisfy immigration and right to work compliance. The obligation must arise under UK law. Internal policy requirements do not qualify as a legal obligation for UK GDPR purposes.

Legitimate interests
Legitimate interests may apply where the employer has a genuine business reason for processing that is not overridden by the employee’s rights and freedoms. This basis is often relevant to HR governance and operational controls, including security monitoring, fraud prevention, workforce planning and certain analytics. Employers relying on legitimate interests should document a Legitimate Interests Assessment (LIA) applying:

• a purpose test (what is the legitimate interest)
• a necessity test (is the processing necessary for that purpose)
• a balancing test (do the individual’s rights override the employer’s interest)

Transparency is central. Where legitimate interests are relied on, the employer should be able to show why the processing is necessary and proportionate, and how impacts on employees have been mitigated.

Consent
Consent can be used where the individual has real choice and can refuse without detriment. In employment, consent is often invalid because it may not be freely given. HR teams should therefore avoid relying on consent for routine HR processing. Where consent is used, it should be specific, informed and capable of withdrawal without negative consequences for the employee.

Section summary: HR functions should identify and document the correct Article 6 lawful basis for each processing activity. Contract, legal obligation and legitimate interests are most commonly relied upon. Consent is usually unsuitable in employment settings.

2. Special category data, Article 9 conditions and Appropriate Policy Documents

HR departments routinely process special category data, including health information, racial or ethnic origin, religious beliefs, trade union membership, sexual orientation and biometric data. Special category data requires:

• an Article 6 lawful basis for processing
• an Article 9 condition permitting special category processing

In employment contexts, the most common Article 9 condition is Article 9(2)(b), where processing is necessary for carrying out obligations and exercising specific rights in the field of employment, social security and social protection law. This is often relevant to HR handling of sickness records, medical adjustments, occupational health referrals and absence management processes, including documentation supporting a sickness policy and day-to-day sickness absence management.

Where employers rely on certain substantial public interest conditions under the Data Protection Act 2018 Schedule 1, an Appropriate Policy Document (APD) may be legally required. An APD should describe how the organisation complies with the data protection principles, set out retention and erasure policies, and be available to evidence compliance if required. HR teams should ensure they know when APD requirements apply, particularly for higher-risk special category processing.

Criminal records and criminal conviction data require additional safeguards under Article 10 UK GDPR and must be processed only where authorised by UK law. HR teams should ensure that background checks, vetting and related decision-making are handled under a clear lawful basis, with access tightly controlled and retention limited to what is necessary.

Section summary: When HR processes health, diversity or criminal records data, it must identify both an Article 6 lawful basis and an Article 9 condition, supported by documented safeguards. Where Schedule 1 conditions are relied on, HR should ensure an Appropriate Policy Document is in place where required.

3. Data minimisation, retention and defensible HR record keeping

UK GDPR requires HR to limit what it collects and to retain data only for as long as necessary. This has practical consequences across the employee lifecycle.

Data minimisation means HR should avoid collecting data “just in case”. At recruitment stage this can include limiting the volume of notes retained, controlling access to interview documentation and ensuring sensitive information is not recorded unnecessarily. Across employment, it means limiting access to personnel records, restricting distribution of disciplinary and medical information, and ensuring HR systems are configured to support confidentiality.

Storage limitation requires clear retention schedules and deletion practices. Employers should maintain a documented retention policy supported by operational workflows, including secure deletion and audit trails. Retention decisions should take account of statutory requirements and the limitation periods for potential claims, including disputes arising from absence and capability management. For example, where data relates to long-term absence, health conditions and capability decisions, employers may need defensible retention practices linked to absence management and the risk of disputes such as dismissal for sickness claims. HR should also consider how retention practices interact with ongoing absence management requirements and operational workforce planning.

Indefinite retention of personnel records is unlikely to be compliant. Where HR wishes to retain records for longer periods, it should be able to justify why retention remains necessary and ensure access remains proportionate and secure.

Section summary: Lawful processing in HR extends beyond identifying a legal basis. It requires disciplined collection practices, documented retention schedules and a clear rationale for how long employee data is kept, particularly where records are sensitive or linked to dispute risk.

Section C: Employee Data Rights and HR Obligations

A core feature of GDPR for HR is the strengthened position of employees as data subjects. Employers must not only process data lawfully, but also facilitate statutory rights in a timely, structured and documented manner. Failures in handling data subject rights are a common trigger for ICO complaints and can escalate quickly where disputes are ongoing.

1. Transparency and privacy notices in the HR context

Under Articles 12, 13 and 14 UK GDPR, employers must provide privacy information that is concise, transparent, intelligible and easily accessible. Employees and applicants must be informed about:

• the identity and contact details of the employer
• the purposes of processing
• the lawful bases relied upon
• retention periods or criteria used to determine them
• their data protection rights
• their right to complain to the ICO

Where personal data is collected directly from the individual, privacy information should be provided at the point of collection. Where data is obtained indirectly, it must generally be provided within one month, unless a limited exemption applies.

In HR practice, employers should maintain:

• a recruitment privacy notice
• a workforce privacy notice
• targeted notices for specialist processing such as monitoring or occupational health referrals

Transparency is particularly important where employers rely on legitimate interests, conduct monitoring or use analytics tools. Poor transparency can undermine otherwise lawful processing and may increase litigation risk where employees allege unfairness in processes such as a disciplinary procedure.

Section summary: Privacy notices are statutory disclosures. They must reflect actual HR data practices and be updated when systems, monitoring tools or workforce processes change.

2. Subject Access Requests (SARs) and dispute risk

Employees have the right to obtain confirmation that their personal data is being processed and to receive a copy of that data, together with supplementary information. A subject access request (SAR) can be made verbally or in writing and does not need to refer explicitly to data protection law.

Key requirements include:

• a response within one month
• disclosure of personal data unless a statutory exemption applies
• provision of information about purposes, recipients and retention

Employers may extend the response period by up to two further months where requests are complex, but the individual must be informed within the original one-month period. A fee cannot be charged unless the request is manifestly unfounded or excessive. Employers are entitled to verify identity where there is reasonable doubt about the requester’s identity.

SARs frequently arise during workplace disputes, including grievances, capability processes and investigations. HR teams should anticipate requests made during a disciplinary investigation or in advance of a disciplinary hearing. Email searches, redaction of third-party data and application of exemptions require careful handling and clear documentation.

Section summary: HR departments should maintain a clear SAR handling procedure, including search protocols, redaction guidance and escalation routes for complex or high-volume requests.

3. Rectification, erasure and restriction in employment

Employees may request correction of inaccurate personal data under the right to rectification. Employers must assess whether the data is inaccurate and either correct it without undue delay or record the employee’s challenge where appropriate.

The right to erasure applies only in specific circumstances, such as where data is no longer necessary or has been processed unlawfully. In employment contexts, erasure will often be limited by the employer’s need to retain records for legal compliance or to defend potential claims. Data required to comply with statutory obligations or retained for the establishment, exercise or defence of legal claims will generally not be eligible for erasure.

The right to restrict processing may apply where accuracy is contested or processing is challenged. HR systems should be capable of marking records as restricted so that they are not further processed while an issue is resolved.

These rights often arise in parallel with disputes over performance or conduct. Employers should ensure that rectification or erasure decisions do not inadvertently compromise record keeping linked to a disciplinary policy or related internal procedures.

Section summary: Employee rights to rectification and erasure are not absolute. HR must assess each request against statutory criteria and ensure that compliance with UK GDPR does not undermine legitimate legal record keeping.

4. Automated decision-making, AI and recruitment technology

Increasingly, HR departments rely on automated systems to support CV screening, candidate scoring, performance management and workforce analytics. Article 22 UK GDPR provides individuals with rights relating to decisions based solely on automated processing that produce legal or similarly significant effects.

Where automated decision-making is used, employers must:

• identify a lawful basis
• implement appropriate safeguards
• inform individuals about the processing
• ensure meaningful human review is available

Article 22 applies only where decisions are solely automated and have legal or similarly significant effects. However, even where Article 22 does not strictly apply, employers must ensure fairness, transparency and proportionality.

Deploying AI-driven tools, including systems used in AI in recruitment, may trigger the need for a Data Protection Impact Assessment where processing is likely to result in high risk to individuals’ rights and freedoms. HR should assess not only legal compliance but also reputational and discrimination risk.

Section summary: As HR becomes more data-driven, governance expectations increase. Automated tools should be supported by transparency, documented assessments and genuine human oversight.

Section D: High-Risk HR Areas Under GDPR

Certain HR activities carry elevated regulatory and litigation risk because they involve intrusive processing, sensitive data or large-scale monitoring. In 2026, the growth of digital HR platforms, remote working arrangements and data analytics has intensified scrutiny in these areas. Employers should apply enhanced safeguards, structured governance and documented risk assessments.

1. Employee monitoring and surveillance

Workplace monitoring engages both UK GDPR obligations and the employee’s right to respect for private life under Article 8 of the European Convention on Human Rights.

Monitoring may include:

• email and internet usage tracking
• CCTV systems
• keystroke or productivity monitoring tools
• location tracking of company devices or vehicles
• biometric access controls

To be lawful, monitoring must be necessary for a legitimate purpose, proportionate to that purpose and transparent. Employers should identify an appropriate Article 6 lawful basis and clearly communicate the scope and purpose of monitoring in privacy notices and relevant policies.

More intrusive monitoring may require a Data Protection Impact Assessment. Employers implementing systems involving employee monitoring or broader practices of monitoring employees should assess proportionality carefully. Covert monitoring will only be justifiable in exceptional circumstances, such as suspected criminal activity, and must be targeted and time-limited. The legal risks surrounding covert CCTV recordings are significant and should not be underestimated.

Where monitoring data is later relied upon in conduct proceedings, employers must ensure that its collection was lawful and transparent. Improperly obtained footage or communications may undermine reliance on CCTV evidence at a disciplinary and create additional legal exposure.

Section summary: Workplace monitoring is a high-risk area. Lawfulness depends on necessity, proportionality, transparency and documented justification, particularly where monitoring evidence feeds into disciplinary or capability processes.

2. Personal data breaches in HR

A personal data breach includes any security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

In HR, examples may include:

• sending payroll information to the wrong recipient
• losing unencrypted devices containing personnel files
• cyberattacks affecting HR databases
• accidental disclosure of medical or disciplinary information

Under Article 33 UK GDPR, a breach must be reported to the ICO within 72 hours of becoming aware of it where there is a risk to individuals’ rights and freedoms. Under Article 34, affected individuals must be informed without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

All breaches, whether reportable or not, must be documented internally in a breach register. HR teams should ensure there is:

• a clear internal escalation procedure
• defined reporting lines
• technical and organisational security measures
• regular awareness training

Breach risk is heightened where sensitive data such as health records, disciplinary findings or diversity information is involved. Robust governance reduces both regulatory exposure and the risk of compensation claims.

Section summary: HR data breaches require prompt assessment, documented decision-making and, where thresholds are met, timely notification to the ICO and affected individuals.

3. Data Protection Impact Assessments (DPIAs)

A DPIA is required where processing is likely to result in a high risk to individuals’ rights and freedoms. In HR, this may include:

• large-scale processing of health or special category data
• introduction of new HR information systems
• AI-based recruitment or scoring tools
• systematic and extensive employee monitoring

A DPIA should:

• describe the proposed processing and its purposes
• assess necessity and proportionality
• identify risks to individuals
• set out mitigation measures

If residual high risk remains after mitigation, the organisation must consult the ICO before proceeding, in accordance with Article 36 UK GDPR. Failure to conduct a DPIA where required, or to consult where necessary, is itself a breach of UK GDPR.

Section summary: DPIAs are mandatory risk assessments for high-impact HR processing activities. They must be completed before implementation and retained as part of the organisation’s accountability framework.

4. Data governance and Data Protection Officer requirements

Some organisations are legally required to appoint a Data Protection Officer under Article 37 UK GDPR. This applies where:

• the organisation is a public authority
• its core activities consist of regular and systematic monitoring of individuals on a large scale
• its core activities involve large-scale processing of special category data or criminal conviction data

A DPO must operate independently, report to the highest management level and have expert knowledge of data protection law. Even where a formal DPO is not legally required, organisations should ensure there is clear internal accountability for data protection governance.

Effective HR governance should include:

• records of processing activities
• documented retention schedules
• policy review and internal audit mechanisms
• structured staff awareness programmes, potentially integrated into wider mandatory training frameworks

Where data protection training forms part of contractual arrangements, employers should ensure related clauses, such as any repayment of training costs clause, are drafted carefully and applied lawfully.

Section summary: Robust governance structures underpin defensible GDPR for HR compliance. Whether through a statutory DPO or structured internal oversight, accountability must be operationally embedded and regularly reviewed.

GDPR for HR FAQs

What is GDPR for HR in the UK?
GDPR for HR refers to the application of the UK GDPR and the Data Protection Act 2018 to human resources activities, including recruitment, payroll, performance management, absence handling, disciplinary action and workforce analytics. It governs how employers collect, use, store and disclose employee data.

Can HR rely on employee consent to process personal data?
In most cases, no. Consent is rarely appropriate in employment relationships because it may not be freely given due to the imbalance of power between employer and employee. Employers typically rely on contractual necessity, legal obligation or legitimate interests instead.

What special rules apply to health and sickness records?
Health data is special category data under Article 9 UK GDPR. Employers must identify both an Article 6 lawful basis and an Article 9 condition, often linked to employment law obligations. Where substantial public interest conditions are relied upon, an Appropriate Policy Document may be required under the Data Protection Act 2018.

How long can employers retain personnel files?
Personal data must not be kept longer than necessary for the purpose for which it was collected. Employers should maintain documented retention schedules that take account of statutory requirements and limitation periods for potential claims.

What must HR do if an employee makes a Subject Access Request?
HR must respond within one month, unless an extension is justified due to complexity. The employer must provide a copy of the employee’s personal data and supplementary information unless a statutory exemption applies. Identity verification may be required where appropriate.

When must a personal data breach be reported to the ICO?
A breach must be reported within 72 hours where it poses a risk to individuals’ rights and freedoms. If the breach is likely to result in a high risk, affected individuals must also be informed without undue delay.

Can employers monitor employee communications?
Yes, but monitoring must be necessary, proportionate and transparent. Employers should identify a lawful basis, inform employees clearly and conduct a DPIA where monitoring is intrusive or high risk.

Do all employers need a Data Protection Officer?
No. A Data Protection Officer is only mandatory where the organisation meets the criteria set out in Article 37 UK GDPR. However, all employers must ensure effective data protection governance and accountability structures.

Conclusion

GDPR for HR is a governance discipline that runs through the entire employment lifecycle. HR departments process some of the most sensitive data held by an organisation, including health records, disciplinary findings, diversity information and criminal background checks. The legal framework requires not only lawful processing but demonstrable accountability.

In 2026, compliance expectations are shaped by digital HR systems, remote working infrastructure and increased use of analytics and automation. Employers must identify clear lawful bases, apply Article 9 conditions where required, implement robust retention policies and ensure transparency across recruitment, employment and termination processes.

Failure to comply exposes organisations to ICO investigation, administrative fines, compensation claims and reputational damage. By contrast, structured governance, documented risk assessments and properly trained HR teams provide a defensible foundation for lawful workforce management.

Glossary

Useful Links