HR Data Security UK: GDPR Compliance & Employee Data Protection Guide

HR data security refers to the protection of employee personal data against unauthorised access, loss, or misuse, as required by UK GDPR and the Data Protection Act 2018. This includes securing sensitive information such as bank details, health records, right-to-work documents, and performance data. UK employers must implement appropriate technical and organisational measures (Article 32) including encryption, access controls, and staff training.

These two areas overlap, but data security is a distinct discipline with its own legal obligations, enforcement regime, and technical requirements. For full HR compliance guidance beyond data protection, visit our guide.

The UK GDPR sets out specific obligations that apply directly to how you collect, store, and handle employee personal data. These are the five core areas every HR team in the UK must understand.

Every time you process employee data, you must be able to point to one of six lawful bases. In an HR context, the four you will rely on most are:

• Employment contract: payroll, administering benefits, managing the employment relationship.

• Legal obligation: right-to-work checks, pension auto-enrolment, PAYE and tax records.

• Legitimate interests: recruitment screening, performance management (requires a documented Legitimate Interest Assessment).

• Consent: optional benefits, employee photos in directories; only valid where employees have a genuine free choice.

Document the lawful basis for every processing activity in your Article 30 records of processing. If you cannot articulate a basis, you should not be processing the data.

Employees hold a bundle of rights over the personal data you hold on them. Your HR processes must be able to action each of these within the required timeframes:

• Right to be informed (Articles 13-14): provide a privacy notice at the point of hire covering what data you collect, why, how long you keep it, and who sees it.

• Right of access (Article 15): respond to data subject access requests (DSARs) within one calendar month; see the DSAR section below for the full process.

• Right to rectification (Article 16): correct inaccurate employee records promptly, for example an incorrect job title, salary figure, or address.

• Right to erasure (Article 17): former employees may request deletion of their data; you can decline where retention is required by law or to defend a legal claim.

• Right to data portability (Article 20): rarely applicable in HR; relevant only where processing is based on consent or contract and carried out by automated means.

Failure to respond to a DSAR within the one-month deadline is one of the most common grounds for an ICO complaint. Build a documented, tested process before you receive a request.

Article 32 requires you to implement technical and organisational measures appropriate to the risk your processing presents. For HR data, this typically means:

• Pseudonymisation and encryption: protect data at rest (AES 256) and in transit (TLS).

• Ability to restore availability: automated backups with tested point-in-time recovery, protecting against ransomware and system failure.

• Regular testing of security measures: annual penetration testing, quarterly vulnerability scans, and ongoing monitoring.

• Staff training: all employees who handle personal data must understand their obligations; training should be refreshed annually and completion recorded.

The ICO, working with the National Cyber Security Centre (NCSC), has published a set of security outcomes providing practical guidance on what 'appropriate' looks like for different types of organisation. See the Technical security measures section below for a full breakdown.

When a personal data breach occurs, you have specific notification obligations:

• 72-hour ICO notification: if the breach is likely to result in a risk to individuals' rights and freedoms, report to the ICO within 72 hours of becoming aware of it; you can report in phases if the full picture is not yet clear.

• Employee notification: if the breach is likely to result in high risk to individuals (for example, exposure of payroll or health data), notify affected employees directly and without undue delay.

• Documentation requirements: you must log all breaches under Article 33(5), whether notifiable or not, recording the facts, effects, and remedial action taken.

The 72-hour window starts from when your organisation becomes aware of the breach — not when the incident occurred. See the Data breach response section for the full five-step process.

Data protection must be built into new HR processes from the outset, not retrofitted. In practice this means:

• Privacy from the start of new HR systems: conduct a Data Protection Impact Assessment (DPIA) before deploying new HR technology; consider access controls, data minimisation, and encryption at the design stage.

• Data minimisation in recruitment forms: only collect information you genuinely need; do not request date of birth, nationality, or protected characteristics unless there is a clear, documented reason.

Article 25 also requires privacy-by-default: your systems should process the minimum personal data necessary unless the individual actively chooses otherwise.

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025. Most of its key data protection provisions came into force on 5 February 2026, with further changes – including a new mandatory complaints right – scheduled for 19 June 2026. The DUAA amends, but does not replace, the UK GDPR and the Data Protection Act 2018.

The changes most relevant to HR teams are:

• DSARs: the DUAA codifies that only 'reasonable and proportionate' searches are required; this is particularly helpful for large organisations with complex IT infrastructure, but the one-month response deadline remains unchanged.

• Automated decision-making: restrictions have been relaxed; employers in the UK can now more easily use AI and algorithmic tools in recruitment, performance management, and workforce planning, provided appropriate safeguards are in place; this diverges from the EU GDPR position.

• Recognised legitimate interests: a set of pre-approved legitimate interest bases has been introduced for specific purposes, such as sharing employee data with law enforcement in a workplace security incident, removing the need for a balancing test in those cases.

• Mandatory complaints procedure: from 19 June 2026, employers must provide a formal route for employees to raise data protection complaints directly; complaints must be acknowledged within 30 days and investigated without undue delay.

• International transfers: the standard for transfers to third countries has been adjusted to 'not materially lower' than UK protections, replacing the previous 'essentially equivalent' test; updated ICO guidance on transfers was published in early 2026.

The UK is now diverging from EU GDPR in several areas. Organisations that also operate in the EU should review which regime applies to each processing activity and ensure their policies reflect both where necessary.

Not all employee data carries the same level of risk. Understanding how to classify what you hold is the first step towards proportionate protection.

Under Article 15 of the UK GDPR, any employee  (current or former) can request a copy of all the personal data you hold about them. This is called a data subject access request (DSAR) or subject access request (SAR). The terms are used interchangeably; the ICO typically uses SAR.

You must respond without undue delay and within one calendar month of receiving the request. That is a calendar month, not 30 days. You can extend the deadline by up to two further months if the request is complex or you have received multiple requests from the same individual, but you must notify the requester within the original month and explain why.

There is no formal wording required: a verbal request, a social media message, or an email asking 'what data do you have on me?' can all constitute a valid DSAR. The clock starts from the day of receipt, even if that day falls on a weekend or bank holiday.

Record the date received, the requester's details, and the scope of the request. Acknowledge receipt promptly, ideally within a few days. The one-month clock has already started.

Before releasing data, confirm the requester is who they say they are. Proportionate verification might mean asking for an employee ID number and date of birth, or requesting photo ID for a high-sensitivity request. Do not use verification checks to delay or discourage legitimate requests, the ICO takes a dim view of this.

A DSAR response must be comprehensive. Search your HR system, payroll records, performance management files, emails mentioning the employee, disciplinary notes, manager comments, and any other system where personal data may be held.

Provide a copy of the personal data held, together with supplementary information: the purposes of processing, the categories of data, who has access to it, how long you keep it, and the employee's right to complain to the ICO. If data also belongs to a third party, redact it carefully before disclosure.

The response must be free of charge in almost all circumstances, and provided in a commonly used electronic format if the request was made electronically. Missing the deadline exposes you to an ICO complaint and potential enforcement action.

• Missing emails or manager notes stored outside the main HR system

• Over-redacting data belonging to the requester, or under-redacting data belonging to third parties

• Charging for standard requests, this is not permitted

• Failing to provide the supplementary information required alongside the data copy

A personal data breach is any security incident that affects the confidentiality, integrity, or availability of personal data. The ICO defines this broadly: it includes accidental disclosure, ransomware attacks, lost laptops, and emails sent to the wrong recipient. Not every breach requires ICO notification, only those likely to pose a risk to individuals' rights and freedoms.

Isolate the affected system or account. Disable compromised credentials. Stop the unauthorised access and preserve evidence for your investigation. Speed matters: the 72-hour notification window starts from when you become aware of the breach.

Determine what data was affected, how many employees are involved, and the likely risk to individuals. Ask: could this data be used to harm the people it relates to – financially, reputationally, or otherwise? Document your assessment.

If the breach is likely to result in a risk to the rights and freedoms of individuals, you must notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it. The ICO recognises you may not have the full picture within 72 hours: Article 33(4) of the UK GDPR allows you to submit information in phases. Report early and update later.

Your notification to the ICO must include: the nature of the breach, the approximate number of individuals affected, the likely consequences, the measures you are taking to address it, and your data protection officer's contact details (if you have one). Use the ICO's online breach report portal.

Where the breach is likely to result in high risk to individuals, for example, the exposure of bank details or health records, you must also notify those employees directly, without undue delay. Tell them what happened, what data was affected, what the likely consequences are, and what steps they can take to protect themselves.

Document the lessons learned. Update your security measures. Retrain staff where human error contributed to the breach. Test your recovery procedures. Article 33(5) requires you to maintain records of all personal data breaches, whether or not they were notifiable.

The five scenarios below account for the majority of personal data breaches reported by HR teams. Each one is preventable with the right controls in place.

Use this checklist as your internal verification step before submitting a notification to the ICO. The ICO's online breach report form must be completed in a single session and cannot be saved mid-way through, have these details ready before you start.

If you cannot provide all the required information within 72 hours, submit what you have and explain the reason for the delay. Article 33(4) of the UK GDPR explicitly permits phased reporting: notify early and update the ICO as your investigation progresses. Report online at ico.org.uk, or call the ICO's breach helpline on 0303 123 1113 during office hours.

Where a breach is likely to result in high risk to individuals, for example, exposure of payroll data, health records, or right-to-work documents, you must notify affected employees directly and without undue delay (Article 34, UK GDPR). The notification must explain what happened, what data was involved, what harm may result, and what steps employees can take to protect themselves.

The following structure covers all required elements under Article 34(2):

Keep a copy of every notification sent, the date sent, and confirmation of delivery. This forms part of your Article 33(5) breach documentation and may be requested by the ICO during an investigation or audit.

The four cases below are drawn directly from ICO enforcement decisions. Each involved failures your HR team can act on today. All penalty amounts are confirmed from published ICO enforcement notices. You can browse the full register of ICO enforcement actions here.

On 22 March 2023, a Capita employee downloaded a malicious file. A high-priority security alert was raised within ten minutes, but the affected device was not quarantined for 58 hours, far exceeding Capita's own one-hour target response time. During that window, the attacker gained administrator privileges, moved laterally through the network, exfiltrated nearly one terabyte of data, and later deployed ransomware. 

The breach affected 6.6 million individuals across 325 pension schemes, exposing pension records, employment records, financial data, and special category data including health information and criminal records. The ICO fined Capita plc £8 million and its subsidiary Capita Pension Solutions £6 million —a combined £14 million — in October 2025.

• HR lesson: MFA is mandatory for all HR system access, particularly administrator accounts. A breach alert is only as useful as the response it triggers – your incident response plan must have tested escalation procedures with defined timelines.

• Articles breached: 5(1)(f) – integrity and confidentiality principle; 32 – security of processing.

In June 2018, an attacker gained access to the British Airways network using compromised credentials stolen from a Swissport employee,  a third-party contractor whose account had no MFA enabled. The attacker moved through the network undetected for over two months, ultimately injecting malicious code that harvested payment card data and personal information from the BA website. 

The breach was not discovered by BA itself: the company was alerted by a third party on 5 September 2018. The personal data of approximately 430,000 customers and staff was potentially compromised, including names, addresses, payment card numbers, CVV codes, and employee login credentials.

The ICO issued a Notice of Intent to fine BA £183 million in 2019. Following BA's representations, a reconsideration of the facts, and a £4 million COVID-19 reduction, the final penalty was set at £20 million in October 2020 – at the time the largest fine ever issued by the ICO.

• HR lesson: Third-party accounts with access to your systems require the same MFA controls as internal staff. Breach detection protocols must be active, not passive, BA did not detect this breach itself after two months of active exfiltration.

• Articles breached: 5(1)(f) – integrity and confidentiality principle; 32, security of processing.

In February 2018, malicious code was injected into a third-party chatbot that Ticketmaster had placed on its payment pages. The chatbot was provided by a supplier called Inbenta. The code silently harvested payment card details and personal information entered by customers. 

Ticketmaster was alerted to potential fraud by Monzo Bank as early as April 2018 but took nine weeks to begin monitoring traffic through its payment page. The breach potentially affected 9.4 million individuals in the EEA, including 1.5 million in the UK. Some 60,000 Barclays Bank payment cards were confirmed compromised.

The ICO issued a £1.25 million Monetary Penalty Notice on 13 November 2020, over two years after the breach began and more than two and a half years after GDPR came into force. Ticketmaster appealed the penalty notice to the First-tier Tribunal. The appeal was stayed pending parallel High Court proceedings.

• HR lesson: Every third-party tool with access to employee or candidate data, applicant tracking systems, background-check providers, payroll integrations, must be subject to documented vendor due diligence, proportionate to the sensitivity of the data involved. Contractual assurances are not a substitute for technical controls.

• Articles breached: 5(1)(f), integrity and confidentiality principle; 32, security of processing.

In March 2020, a phishing email landed in an Interserve accounts team mailbox. Interserve's system neither quarantined nor blocked it. An employee forwarded it to a colleague, who opened the attachment and triggered a malware installation. The anti-virus software quarantined the malware and sent an alert — which Interserve failed to properly investigate. Had it done so, it would have found the attacker still had access to company systems. 

The attacker went on to compromise 283 systems and 16 accounts, uninstalled Interserve's anti-virus solution, and encrypted the personal data of up to 113,000 current and former employees. The compromised data included bank account details, national insurance numbers, contact details, and special category data covering ethnic origin, religion, disability, sexual orientation, and health information held across four HR databases.

The ICO's investigation found that Interserve had been failing to maintain adequate security measures since March 2019  (well before the attack) and issued a £4.4 million Monetary Penalty Notice on 24 October 2022, over two years after the breach occurred. This timeline is typical: ICO enforcement investigations of this scale routinely take one to two years from breach to fine.

• HR lesson: An unacted security alert is as dangerous as having no alert at all. Phishing simulation training, up-to-date endpoint protection, and a clear protocol for investigating anti-virus alerts are all required under Article 32.

• Articles breached: 5(1)(f), integrity and confidentiality principle; 32, security of processing.

The patterns that emerge from enforcement actions, where the ICO has found breaches warranting fines, include:

• Failure to act on security alerts: Interserve and Capita both had detection systems that worked; the failure was in the response.

• No MFA on accounts with access to personal data: present in both the BA and Capita cases.

• Inadequate vendor due diligence: the direct cause of the Ticketmaster fine; a growing risk as HR tech stacks become more complex.

• Outdated software and unpatched systems: cited by the ICO as a contributing factor in both Interserve and multiple other enforcement cases.

• Delayed breach detection and notification: each case above involved a period where the attacker had undetected access that a monitoring control could have shortened.

Article 32 of the UK GDPR does not prescribe specific technologies, it requires measures appropriate to the risk. For HR processing, which typically involves large volumes of sensitive personal data, the following controls are widely recognised as appropriate.

The ICO's guidance, developed in collaboration with the NCSC, does not mandate specific encryption algorithms, the standard is 'appropriate to the risk'. In practice, AES 256-bit encryption for data at rest and TLS 1.3 for data in transit are widely considered current best practice for HR data. When evaluating HR software vendors, ask explicitly for their encryption specification.

One of the most common access-control failures in HR is the failure to revoke system access promptly when employees leave or change roles. A former employee retaining access to payroll data or employee files is a data breach waiting to happen. Your HR system should support automatic access revocation as part of the offboarding process.

If your organisation sends employee data outside the UK – whether to an overseas office, an outsourced payroll provider, or a US-based HR software platform – you need to ensure the transfer is lawful.

The UK currently has an adequacy decision in place with the EU/EEA, meaning data can flow freely between the UK and EU member states without additional safeguards. This position was in place as of March 2026, but organisations should monitor for any divergence as UK data protection law develops independently of EU GDPR.

There is no adequacy decision between the UK and the US. If you transfer employee data to a US-based HR software vendor, payroll provider, or parent company, you will need to rely on International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) with a UK addendum, and carry out a Transfer Impact Assessment (TIA) to confirm that the data is adequately protected in the destination country.

The ICO maintains a list of countries with adequacy decisions. For transfers to countries without adequacy, you will need appropriate safeguards such as IDTAs. Check the ICO's international transfers guidance at ico.org.uk for the current list.

Many HR teams are unsure how far they can go when monitoring employee activity, particularly with hybrid and remote working now commonplace. The ICO published comprehensive guidance on monitoring workers in October 2023. The short answer is: monitoring is permitted, but it must be lawful, transparent, and proportionate.

You must identify a lawful basis under Article 6 for any monitoring activity. You must also tell employees what monitoring takes place, why, and what data is collected. Covert monitoring — where employees have no knowledge of the surveillance, is only justifiable in exceptional circumstances, such as a suspected criminal investigation, and must be authorised by senior management.

The ICO also recommends completing a Data Protection Impact Assessment (DPIA) before implementing any monitoring system, even where one is not strictly required by law. For employees working from home, the ICO notes that their reasonable expectation of privacy is higher than in an office setting.

UK GDPR requires you to keep personal data only for as long as necessary. But 'necessary' is defined by a combination of legal obligations, regulatory requirements, and legitimate business needs, and the timelines differ by record type. Below are the key retention periods for UK HR records.

The 6-year benchmark for most HR records aligns with the limitation period for breach-of-contract claims under the Limitation Act 1980. Once a retention period expires, data should be securely deleted or anonymised. Using an HR system to automate deletion rules significantly reduces the risk of retaining data longer than necessary, and the ICO complaint that can follow.

When evaluating HR software vendors, certifications offer third-party assurance that the vendor's security controls have been independently tested. Here are the key ones to look for.

The international standard for information security management systems. ISO 27001 certification means the vendor has a systematic approach to managing security risks, including policies, controls, and ongoing audits. Ask to see a current certificate and check which certification body issued it.

A US-originated but internationally recognised standard that audits a vendor's security, availability, and confidentiality controls over a period of at least six months (Type II). Type II is more rigorous than Type I, which only tests controls at a single point in time. A SOC 2 Type II report gives you evidence that the vendor's security practices are consistently applied.

A UK government-backed certification scheme that validates basic security hygiene: firewalls, secure configuration, access controls, malware protection, and patch management. Cyber Essentials Plus includes an independent technical verification. This certification is mandatory for UK government contracts and is increasingly expected in public sector supply chains.

An extension to ISO 27001 that adds privacy-specific controls aligned with GDPR and other privacy regulations. ISO 27701 certification indicates the vendor has embedded privacy-by-design processes into their security management system, relevant given HR software's role as a data processor.

• 'We're GDPR compliant' stated without supporting documentation

• No security certifications of any kind

• Refusal to provide a Data Processing Agreement (DPA)

• Vague or evasive answers about data storage locations

• No incident response procedure or bug bounty programme

ICO audits can be triggered by a breach report, an employee complaint, a sector-wide investigation, or random selection. They are not reserved for large organisations, the ICO audits companies of all sizes. Knowing what to expect makes preparation manageable.

1. Records of processing activities (Article 30 register): documenting what employee data you process, why, who has access, how long you keep it, and any international transfers.

2. Employee and recruitment privacy notices: current versions, evidence of updates when processing changed.

3. Data Protection Impact Assessments: particularly for high-risk processing such as employee monitoring, AI-based recruitment tools, or large-scale profiling.

4. Data Processing Agreements with vendors: your payroll provider, HR software supplier, and background check services.

5. DSAR response records: how you handled past requests, response timelines, and the information provided.

6. Breach notification records: incidents logged, ICO notifications made, evidence of 72-hour reporting.

7. Security measures documentation: encryption policies, access control matrices, staff training records, penetration test results.

8. Data retention policy: schedules by record type and evidence of secure disposal.

• Maintain your Article 30 processing register and review it quarterly

• Review employee and recruitment privacy notices annually

• Conduct DPIAs for new HR technology and high-risk processing activities

• Audit third-party DPAs annually, ensure they reflect current processing

• Document your DSAR process and track response times

• Test your breach notification procedure at least annually

• Commission an annual external security review or penetration test

• Run GDPR training for all staff who handle employee data, record completion rates

• Review your data retention schedules and delete expired records on schedule

• Appoint a Data Protection Officer if your organisation requires one

Use this checklist to audit your organisation's current position against the UK GDPR requirements and NCSC security recommendations covered in this guide. The checklist is organised by category, work through each in turn and note any gaps. A gap is not automatically a breach, but an undocumented gap is a material risk if the ICO investigates.

For an interactive version of this checklist where you can track your progress and calculate a compliance score, see the companion tool at the end of this section.

• AES 256-bit encryption for all employee data at rest (employee files, payroll records, health data)

• TLS 1.3 encryption for all data in transit (self-service portals, payroll integrations, API connections)

• Multi-factor authentication (MFA) enforced for all HR system users — mandatory for administrator accounts

• Role-based access controls (RBAC) configured so staff access only the data their role requires

• Automated daily backups in place, backup recovery tested at least quarterly

• Audit trails enabled and retained for a minimum of 12 months, logs include who accessed or changed data and when

• Firewall and intrusion detection/prevention systems active and monitored

• Patch management policy in place, critical patches applied promptly (NCSC recommends within 14 days for critical vulnerabilities; 30 days is a common organisational policy)

• Antivirus and anti-malware with real-time protection deployed across all systems handling HR data

• Secure data disposal process documented, crypto-shredding or equivalent for electronic records; cross-cut shredding for paper

• Data Protection Officer appointed, if required under Article 37 UK GDPR

• Article 30 records of processing activities maintained and reviewed at least annually

• Employee and recruitment privacy notices provided at point of hire and updated when processing changes materially

•   Annual GDPR training completed by all staff who handle employee data, attendance records kept

• Data retention policy documented, with retention periods set by record type and automated deletion where possible

• DSAR process documented with a target response time within one calendar month (the legal deadline under Article 15)

• Breach response plan documented and tested at least annually, includes ICO 72-hour notification step

• Third-party vendor due diligence completed, signed Data Processing Agreements in place with all processors handling employee data

• Data Protection Impact Assessments completed for all high-risk processing activities (employee monitoring, AI-based recruitment tools, biometric data)

• Regular security audits conducted, internal quarterly review; independent external audit or penetration test at least annually

• Joiners, movers, and leavers process documented, access provisioned and revoked promptly on role change or departure

• Privileged access reviewed quarterly, administrator-level accounts kept to the minimum necessary

• Password policy enforced: minimum length (NCSC recommends longer passphrases over short complex passwords); account lockout after failed attempts; passwords changed only when compromise is suspected

• Single sign-on (SSO) implemented where possible to reduce credential sprawl

• Remote access to HR systems via VPN or equivalent secure connection only

•  Locked storage for paper HR records (personnel files, right-to-work documents, medical certificates)

• Clear desk policy in place for any area where HR records are handled

•  Visitor management process in place, sign-in, escorting, and log retention

•  Secure disposal bins available for paper containing personal data, cross-cut shredding or confidential waste contractor

• Security incident log maintained, all incidents recorded regardless of whether ICO notification is required

• Threat intelligence monitoring in place, alerts configured for unusual access patterns or data exfiltration attempts

• Annual penetration test commissioned from an independent security provider

• Monthly vulnerability scanning across systems that process HR data

• Security metrics reviewed regularly, access attempts, failed logins, privilege escalations, and DSAR response times

• Data Processing Agreements in place and reviewed annually with all third-party processors

• Consent records maintained where consent is the lawful basis for processing (e.g. optional employee directory photos)

• Lawful basis documented for every processing activity in the Article 30 register

• International transfer safeguards in place for any employee data sent outside the UK, IDTAs or SCCs with a UK addendum plus Transfer Impact Assessments

• Employee monitoring disclosures documented in policy and communicated to all affected employees before monitoring begins

Personio is the Intelligent HR Platform. Our Smart Automations eliminate the busy work so you can focus on the meaningful. Our Dynamic Adaptability allows Personio to meet the needs of your business for today and tomorrow. Our Proactive Insights help every HR team make confident people decisions.

From a data security perspective, Personio is built to help HR teams meet UK GDPR obligations without adding manual overhead. Centralised, encrypted employee files replace email chains and spreadsheets. Automated data retention rules adjust based on employee location, for example, the retention period for absence records in the UK differs from the requirement in Germany, and Personio can manage both. Employee self-service portals allow staff to access and update their own data, supporting transparency and reducing the risk of inaccurate records.

For DSAR responses, Personio's tooling helps HR teams compile an employee's complete data profile from a single system rather than manually searching across disconnected platforms. Role-based access controls mean that only the right people can view payroll data, health information, or disciplinary records, and every access is logged in an immutable audit trail.

Certifications and technical safeguards:

• ISO 27001 certified, validated by independent third-party audit on an annual basis

• AES 256-bit encryption for data at rest; TLS encryption for data in transit

• Multi-factor authentication for all users

• Role-based access control with principle of least privilege

• GDPR DSAR automation, compile a complete employee data profile from a single centralised record

• UK and EU data residency options

• Automated data retention rules by employee location and data type

Personio’s specialised platform protects HR and employee data–keeping you compliant with relevant privacy regulations.

HR data security is the obligation to protect employee personal data against unauthorised access, loss, or misuse, as required by the UK GDPR and the Data Protection Act 2018. Under Article 32, employers must implement technical and organisational measures appropriate to the risk their processing presents.

All personal data relating to employees is protected – from names, addresses, and job titles to bank details, health records, right-to-work documents, performance appraisals, and disciplinary records. Health data, trade union membership, and biometric data are classified as special category data under Article 9 and require additional safeguards and a specific processing condition. 

Acknowledge receipt, verify the requester's identity using proportionate measures, search all systems where personal data may be held, compile the response (including supplementary information about processing purposes, retention periods, and rights), and deliver it free of charge within one calendar month of receiving the request. 

The ICO can issue fines of up to £17.5 million or 4% of global annual turnover (whichever is higher) for the most serious breaches. Less serious procedural failures carry a lower maximum of £8.7 million or 2% of turnover. In practice, fines are determined case by case based on the severity of the breach, the number of people affected, the organisation's culpability, and how promptly and cooperatively it responded. 

No. Only breaches that are likely to result in a risk to the rights and freedoms of individuals need to be reported to the ICO, and this must be done within 72 hours of becoming aware of the breach. If the risk is low, you do not need to notify the ICO, but you must document the incident and your risk assessment. All breaches, notifiable or not, must be recorded internally under Article 33(5).

Retention periods vary by record type. Payroll records should be kept for 6 years from the end of the relevant tax year, in line with HMRC requirements. Right-to-work documents should be retained for 2 years after employment ends. Recruitment records for unsuccessful candidates are typically kept for 6–12 months. Disciplinary and grievance records are usually kept for 6 years post-employment to support defence against potential tribunal or civil claims. Sickness absence records are generally kept for 3 years, extending to 40 years or more where exposure to hazardous substances is involved.

Not without additional safeguards. There is currently no adequacy decision between the UK and the US. If you use a US-based HR software platform, payroll provider, or send employee data to a US parent company, you need an International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) with a UK addendum, plus a Transfer Impact Assessment to document that the data is adequately protected.

Yes, within clear limits. You must have a lawful basis for monitoring, be transparent with employees about what is monitored and why, and ensure monitoring is proportionate to the purpose. Covert monitoring is only justifiable in exceptional circumstances, such as a suspected criminal investigation, and must be authorised by senior management.

Article 32 requires 'appropriate technical and organisational measures', what is appropriate depends on the nature of the data and the risks involved. For HR data, appropriate measures typically include: encryption of data at rest and in transit, role-based access controls, multi-factor authentication, audit trails, regular staff training, automated backups with tested recovery, and a documented breach response procedure. 

A DPIA is a structured assessment of the data protection risks associated with a new processing activity. Under Article 35 of the UK GDPR, a DPIA is mandatory for processing that is likely to result in a high risk to individuals, including systematic monitoring of employees, processing biometric data, or introducing AI-based recruitment tools. 

In the private sector, a DPO is only mandatory under UK GDPR if your organisation is required to carry out large-scale, systematic monitoring of employees, or if you process special category data on a large scale as a core activity. Most mid-market employers are not legally required to appoint a DPO, but many do so as a matter of good practice, particularly where HR processes involve significant volumes of sensitive employee data.

The most frequently occurring HR data breaches involve: accidental disclosure – payroll or employee files emailed to the wrong recipient; lost or stolen devices containing unencrypted employee data; phishing attacks that compromise HR system credentials; misconfigured cloud storage making employee records publicly accessible; and failure to revoke access for former employees. 

Start by ensuring your Article 30 processing register is up to date and covers all employee data processing activities. Review your employee privacy notices. Complete DPIAs for any high-risk HR processing. Ensure you have signed Data Processing Agreements with all third-party vendors who handle employee data. Document your DSAR process and maintain records of past responses. Test your breach notification procedure. Run annual GDPR training for all staff handling personal data, and keep attendance records. 

Look for ISO 27001 (information security management), SOC 2 Type II (third-party audited security controls over time), and for UK-focused vendors, Cyber Essentials or Cyber Essentials Plus. ISO 27701 (privacy information management) is increasingly relevant given the overlap between information security and GDPR compliance. 

The right to erasure under Article 17 is not absolute. In an HR context, employees can request deletion of their data, but you can refuse if you have a legitimate reason to retain it, for example, if you need the data to defend a potential legal claim, comply with an HMRC requirement, or fulfil a legal obligation. 

As an employer, you are the data controller, you determine the purposes for which employee data is processed and the means by which it is processed. Your HR software vendor, payroll provider, or background check service is typically a data processor, they process employee data on your behalf and under your instructions. 

Sources:

1. ICO – A guide to data security 

2. ICO – Security outcomes 

3. ICO – Personal data breaches: a guide 

4. ICO – Time limits for responding to data protection rights requests 

5. ICO – How do we recognise a subject access request (SAR)? 

6. ICO – What should we consider when responding to a request? 

7. ICO – Breach response and monitoring 

8. ICO – Penalties 

9. ICO – Capita fined £14m for data breach affecting over 6 million people (press release, 15 October 2025) 

10. ICO – Enforcement actions register https://ico.org.uk/action-weve-taken/enforcement/

11. ICO – Data security incident trends 

12. ICO – Data (Use and Access) Act 2025: data protection and privacy changes 

13. GDPR Register – ICO fines British Airways £20m for data breach (republication of ICO press release, 16 October 2020 — original ICO page no longer available online)

14. GOV.UK – Data (Use and Access) Act 2025: data protection and privacy changes

15. NCSC – Password policy: updating your approach 

16. Personio – Security and Trust Center 

Sources last checked on 10-04-2026.