GDPR And Employee Personal Data

What SMEs Need To Know

Employee personal data is one of the most sensitive types of information many SMEs hold. Personnel files, payroll records, sickness absence information, disciplinary records and recruitment documents can all contain confidential and sensitive personal data. As businesses grow, employee information can easily become spread across emails, laptops, cloud systems, messaging apps and paper records. Without clear processes, this can create significant GDPR, confidentiality and operational risks for employers.

What Counts as Employee Personal Data

Under the UK GDPR and Data Protection Act 2018, employee personal data is any information relating to an identified or identifiable individual in the workplace. This includes personnel files, payroll details, performance reviews, emails, and even informal manager notes that mention an employee. Employers must handle this data carefully, as it broadly spans the following categories:

Standard Personal Data

This includes any details that can directly or indirectly identify an employee:

  • Recruitment: CV, interview notes and pre employment checks such as references and right to work in the UK documentation.
  • Contact & Identity: Name, address, date of birth, personal email, phone numbers, and National Insurance number.
  • Employment Contract: Job title, hours of work, and training records.
  • Payroll: salary, bank details, pension information.
  • Performance & Conduct: Appraisals, disciplinary records, grievance notes, and interview notes.
  • Digital & Physical: Work emails, managers written notes, WhatsApp messages, team meeting records, IP addresses, CCTV footage, and electronic swipe-card logs.

Right To Work In The UK
Employers should also ensure documents such as right-to-work records are retained securely and only accessed where necessary.

Special Category Data

Certain types of employee data are highly sensitive and require a stricter legal basis and safeguards to process:

  • Health and medical records (including sick notes, return to work meeting notes, and occupational health reports)
  • Racial or ethnic origin
  • Trade union membership
  • Religious, philosophical, or political beliefs
  • Sexual orientation, sex life, or genetic/biometric data

Common Employee Data Risks for SMEs

Examples of common risks for SMEs are:

  • Managers storing files locally,
  • Shared passwords,
  • Employee data in inboxes,
  • WhatsApp discussions,
  • Medical information shared informally,
  • Excessive access permissions,
  • Retention problems,
  • Former employee records kept indefinitely,
  • Lost laptops,
  • Home working.

GDPR & Legal Obligations

Employers are responsible for ensuring that employee personal data is processed lawfully, stored securely and only accessed by those who genuinely need it for business purposes. Employee records often contain sensitive information including payroll data, disciplinary records, sickness absence information, medical information and recruitment documentation, all of which should be handled carefully and confidentially.

Under UK GDPR, businesses should ensure that employee information is:

  • Collected for legitimate business purposes,
  • Kept accurate and up to date,
  • Retained only for as long as necessary,
  • Protected against unauthorised access, and
  • Stored securely whether held electronically or in paper files.

SMEs should also be aware that employee personal data may exist across multiple systems and locations, including emails, cloud storage platforms, payroll software, mobile devices, messaging applications and manager notes. Without clear processes, sensitive information can easily become fragmented, duplicated or accessible to individuals who do not require access to it.

Particular care should be taken when handling special category data such as medical information, disability information or other sensitive employee records. Access to this information should usually be restricted and businesses should ensure managers understand their responsibilities around confidentiality and data handling.

Employers should also be prepared to respond appropriately to subject access requests (SARs). In practice, this can include reviewing not only formal personnel files, but also emails, meeting notes, instant messages and other employment-related records. Poor record management can make responding to SARs significantly more difficult and may expose weaknesses in wider HR processes.

Clear HR procedures, secure systems, appropriate manager training and regular reviews of employee record keeping processes can help SMEs reduce GDPR risks while demonstrating that employee information is being managed responsibly and consistently.

Subject Access Request (SAR) Risk

Many SMEs only become fully aware of weaknesses in their employee record keeping processes when they receive a subject access request (SAR). Employees have the right to request access to personal data held about them, and this can include far more than the contents of a formal personnel file.

In practice, relevant information may also exist within:

  • Emails,
  • Manager notes,
  • Disciplinary records,
  • Sickness absence documentation,
  • WhatsApp or Teams messages,
  • Meeting notes,
  • Internal communications, and
  • Recruitment records.

Where employee information has been stored inconsistently or informally, responding to a SAR can quickly become time-consuming and difficult to manage. Businesses may struggle to identify where information is held, who has access to it or whether sensitive information has been retained appropriately.

Subject access requests can also arise during difficult employment situations such as grievances, disciplinaries, performance concerns or tribunal disputes. In these circumstances, poorly worded manager comments, informal messages or inconsistent documentation can potentially create additional employee relations and legal risks.

SMEs should therefore ensure that managers understand that employment-related communications may later need to be disclosed as part of a formal data request. Clear record keeping procedures, appropriate manager training and consistent HR documentation processes can help businesses respond more confidently while reducing the risk of unnecessary exposure.

Process & Documentation

Good Employee Data Management Depends on Clear Processes. Protecting employee personal data is rarely achieved through a single policy or system alone. In most SMEs, effective data protection depends on having clear and consistent HR processes that are understood and followed across the business.

Employee Handbooks
Clear HR policies and manager guidance can help businesses handle employee information more consistently and securely.

As organisations grow, employee information can easily become spread across shared drives, emails, personal devices, paper files and messaging platforms. Without defined processes, businesses may lose visibility over who has access to sensitive information, how long records are being retained or whether documents are being stored securely.

SMEs should ensure there are clear procedures covering:

  • Who can access employee records,
  • Where employee information should be stored,
  • How sensitive information should be shared,
  • Retention and deletion periods,
  • Password and access controls, and
  • How managers should handle confidential employee matters.

Managers also play an important role in reducing data protection risks. Informal practices such as retaining employee information in personal inboxes, saving documents locally or discussing confidential matters through unsecured messaging channels can create unnecessary exposure for the business. Providing managers with practical guidance on record keeping and confidentiality can help improve consistency and reduce risk significantly.

Well-organised HR systems, secure storage arrangements and documented procedures can help SMEs manage employee information more confidently while demonstrating a responsible and compliant approach to employee data protection. In many cases, improving processes and consistency is far more effective than reacting to problems after a data breach, grievance or subject access request has already arisen.
Learn More About Employee Personnel File

Need Support Reviewing Your Employee Data Processes?

Many SMEs develop HR and employee record systems gradually over time, particularly as businesses grow. This can lead to inconsistent processes, unnecessary access to sensitive information and increased GDPR risk.

KEA HR supports SMEs with practical HR documentation, employee record management and HR compliance processes designed to help businesses manage employee information more securely and consistently.

Have a question about Employee Personal Data and GDPR?

Speak directly with our CIPD-qualified HR expert with 30+ years’ experience.


Book Your Free Intro Call

Get the Latest Legislation News and My Top Tips delivered straight to your inbox

Have a question? Let's have a chat and a coffee!

If you found this helpful and you would like to learn more about how I work with owners of small business who want to improve their HR management, please book some time in my diary.

Tap into and share the Kea world!

Don't forget to add Kea to your social networks and when you read an article that you like share it with your network!
GDPR And Employee Personal Data
Tagged on:

Kathryn

Kathryn is a highly experienced HR Manager with a wealth of skills and knowledge acquired across a variety of industries including manufacturing, health and social care and financial services. She has worked in small localised business and larger multi sited organisations and is comfortable liaising with senior managers and union officials as well as answering queries from team members. Connect with Kathryn on:

You May Also Like

Employee Personnel File

Employee Personnel File

Call Us