Data Protection for Employees

Employers must comply with UK GDPR and the Data Protection Act 2018 when processing employee data. This includes providing privacy notices, having lawful bases for processing, conducting DPIAs for high-risk processing, and responding to subject access requests within one month.

Last updated: February 2025

1 month

SAR response time

£17.5 million or 4% turnover

Maximum ICO fine

6 years post-employment

Data retention (typical)

What the Law Says

The UK GDPR (retained EU law) and Data Protection Act 2018 require employers to process personal data lawfully, fairly and transparently. Employee consent is rarely appropriate as a lawful basis due to the power imbalance; employers should rely on contractual necessity, legal obligation, or legitimate interests. Special category data (health, trade union membership) requires additional protections.

Your Obligations as an Employer

  • Provide a comprehensive employee privacy notice before processing begins
  • Conduct Data Protection Impact Assessments for high-risk processing
  • Respond to subject access requests within one calendar month
  • Appoint a Data Protection Officer where required

What to Include in Contracts

Include a data protection clause explaining what personal data is processed, the lawful basis, retention periods, and reference to the full privacy notice. Include data processing terms for any third-party processors handling employee data.

View related contract template

Common Mistakes

  • Relying on consent as the lawful basis for processing employee data
  • Not providing an employee privacy notice
  • Retaining employee data indefinitely after they leave

FAQ

Can an employer access employee emails?

Only if there is a clear policy informing employees that emails may be monitored, monitoring is proportionate to the aim, a legitimate reason exists (e.g. security, regulatory compliance), and a DPIA has been conducted. Covert monitoring is only justified in exceptional circumstances.

How long can employers keep employee records?

There is no single statutory retention period. HMRC requires payroll records for 6 years. Health records should be kept for the duration of employment plus 40 years for health surveillance records. Most other records should be kept for 6 years after employment ends to cover limitation periods.

Related Topics

Employee Monitoring Rules

Right to Work Checks

DBS Check Requirements

Stay compliant with UK employment law

AccountsOS generates compliant contracts and keeps you updated on your obligations. From £10/month.

Get Started Free

This is guidance for UK employers, not legal advice. For complex employment law matters, consult a qualified employment solicitor or ACAS.

View all employment law topics