HR teams should now be well equipped to properly manage employee data, as well as providing regular, up-to-date training to staff on correctly handling data on customers, suppliers and other business contacts.
To maintain compliance with the UK GDPR, HR teams should carry out a structured audit of data and processes every year. This can be done against the ICO’s guidance to keep you on the right path.
Know your data
Given the increased duties under the UK GDPR, particularly for special category data, HR teams should know what data they hold on employees, know how to access it, and have clear, documented rules for managing it.
HR teams should be clear on the lawful basis on which they hold employee personal data. Consent is a typical example of a lawful basis; contracts should be reviewed to see if you are relying on this basis and, if not, clear and informed consent should be sought from employees.
Generally, organisations will easily establish an alternative lawful basis for holding employee personal data – for example, to meet their legitimate needs as employer. If not relying on consent, you should identify a different lawful basis and update contracts accordingly.
Personal data held on job applicants also needs to be audited – remembering that the lawful basis for holding applicants’ data is not going to be the same as it is for current employees. For former employees, HR teams should also audit what data they hold, looking at their basis for holding it, how it is held, and for how long it is retained.
Employees should be updated on changes to data protection policies – not just to assure them about HR compliance with the UK GDPR, but to remind them of their responsibilities when handling other people’s data on behalf of the business and to promote a culture of accountability.
Employee Rights
Transparency is crucial for HR teams; employees should be informed about how data is collected, processed, and stored.
HR teams are likely to receive employee data requests so you should be familiar with employee rights regarding their data, such as rights of access, right to erasure, and right to object. If you haven’t already, we recommend developing a standard response form that you can tailor to each request, particularly for subject access requests. This will save you time and money when it comes to fulfilling your obligations regarding employee rights.
Another process to review is how you monitor compliance and report breaches to the ICO. The person responsible for data protection within your business should report breaches within 72 hours of an organisation discovering it. They should also inform affected employees; a data breach response plan can help you do so efficiently and demonstrate accountability if the ICO investigates.
We advise most companies to designate a data protection manager – even if a formal data protection officer is not required – as someone to drive audits and reviews, galvanise everyone into compliance, and identify what outside help might be useful. You can also refer to this useful checklist from Lindsays.
There is a lot to review and implement when it comes to data protection, but the ICO’s guidance and checklists can be a useful first stop. Businesses will also generally benefit from understanding and managing data properly, and it helps to safeguard crucial relationships with staff, customers, contractors and other stakeholders while reducing legal and reputational risks.
Published 3 July 2025
