Data protection issues have an impact on most HR activities, from handling recruitment and employer references to employee record-keeping and performance monitoring. So, it's crucial that employers have a solid grasp of data protection principles and law, understanding how to manage data responsibly while keeping up-to-date with legal developments.

This factsheet outlines the new Data Protection Act 2018 which currently governs data protection in the UK, as well as the General Data Protection Regulation (GDPR) and other laws affecting how organisations gather, store and use data about individuals, and individual’s rights over access to information. It offers guidance on following good data protection practices at work and a practical action plan for organisations.

Data protection laws protect individuals from the misuse of information about them. The rapid spread of the internet and ownership of electronic devices made it easier for data to be collected and modernised legal provisions are needed to limit data spread only to those who need to know.

Information is easily transferred nationally and internationally, making data protection a complex global issue. For example, HR systems can be cloud-based with international servers. Any worldwide company, for example US or Russian based can hold data on UK and other European citizens.

Data protection affects most HR activities, from recruitment and references to employee record-keeping and performance monitoring. Data must be managed responsibly with sound current knowledge of all data protection principles.

The main UK legislation governing data protection is the Data Protection Act 2018 (DPA), in force from 25 May 2018 (replacing the 1998 version). The DPA reflects the General Data Protection Regulation (GDPR), the mutually-agreed framework governing organisations who hold data on EU citizens. The GDPR must be read and understood together with the DPA.

The DPA 2018 contains other rules, covering, for example data for immigration purposes and criminal law enforcement. Other data legislation is summarised below.

The Information Commissioner’s Office (ICO)

The ICO promotes and enforces legislation including the DPA and is independent from government. It provides tools and guidance to aid DPA compliance and takes action where needed. There's more about its role and guidance on the ICO website.

The General Data Protection Regulation (GDPR)

The GDPR gives people rights to access information held about them. In addition, there are obligations for better data management and a regime of fines.

The UK government committed to implementing the GDPR irrespective of Brexit. Employers must ensure they are data protection compliant.

The Data Protection Act 2018 (DPA)

The DPA and GDPR contain rights concerning the processing of personal data which is held in either a computerised format as part of a database or manual records forming part of a relevant filing system.

In essence, the law means that those who decide how and why personal data is processed (data controllers) must comply with certain principles. Those whose data is held or processed (data subjects) have rights, for example in relation to accessing that data. In an employment context, employers will generally be data controllers and employees, workers, ex-employees and applicants will be data subjects. Most HR and employment files and records are covered by the DPA.

Personal and sensitive data

Personal data relates to someone who can be identified, directly or indirectly, by an ‘identifier’ such as their name, or an identification number, or by location. It also includes people who can be identified by various factor in online data. HR records, including sickness absence, performance appraisals, recruitment notes etc. are personal data.

Sensitive personal data includes information about the an individual’s race, ethnicity, politics, religion or beliefs, trade union status, health, sex life, sexual orientation or crimes. Genetic or biometric data (for example, fingerprint images for security or payment systems) are included. It is legitimate to process ‘sensitive personal data’ where necessary to carry out an obligation under an employment contract or collective agreement.

Criminal records are sensitive data. Checks are permissible for roles that involve working with children or vulnerable adults but cannot be carried out routinely.

Health information should only be held with explicit consent. Processing medical records may be permissible for preventative steps, assessing working capacity or confirming diagnoses.

When handling personal data, organisations must have safeguards on confidentiality. Employers must tell employees why the organisation is collecting the information, what will happen to it and who will see it.

Processing data

Processing data includes obtaining, holding, retrieving, consulting and using data by carrying out any operation on it. There are six key principles which specify for example that data must be limited, processed fairly and collected for specified and legitimate purposes.

Individual rights

Data subjects have eight individual rights including the right to be informed about the processing of personal data and to be forgotten by having data deleted where there’s no compelling reason for it to be processed.

The full list of these rights on the ICO website is accompanied by useful lists for checking compliance.


Substantial penalties may be imposed if an employer doesn’t follow the data protection principles. There are enforcement sanctions and monetary penalties for serious breaches. The maximum fines are just under £17.5m, or 4% of global annual turnover, whichever is the greater. The ICO has said it will operate in a similar vein as previously, which means fines are likely to be a last resort.

CIPD members should see the more detailed information on enforcement of the DPA and the GDPR in our Data protection law Q&As.

The Freedom of Information Act 2000

This well-known law affects public sector employers providing public access to information held by public authorities and requires them to publish certain information about their activities.

The Telecommunications (Lawful Business Practice) Regulations 2000

These cover all telecommunications (telephone, email, fax, etc). Employers may intercept these with the parties’ consent.

Employers can also intercept telecommunications without consent:

  • to establish facts
  • to find out if a communication is for business or private purpose
  • for quality control or training
  • to comply with regulatory or self-regulatory procedures
  • for system maintenance
  • to detect unauthorised use
  • to prevent or detect crime
  • for national security purposes.

If employers can’t demonstrate consent, they’ll need to show they took reasonable steps to inform every user that there may be interception.

The Investigatory Powers Act 2016

This controversial law is not primarily directed at the employer/employee relationship but at the communications industry. However, it affects many types of business, for example online market places or website providers providing a telecommunications service. It imposes powers to enable the police, government and other authorities to gather and retain data about people.

Privacy and Electronic Communications Regulations 2003 (amended 2004-2016)

These regularly updated rules regulate direct marketing activities by telephone, email or other electronic methods. They also regulate security of communications, use of cookies and 'spyware'. They govern emergency alert texts and require those making marketing calls to display their number. They complement the DPA regarding personal data safeguards. The ICO can serve monetary penalties for serious breaches.

All employers should read and follow the guide to the GDPR issued by the ICO. A fuller combined guide covering both the GDPR and DPA is due to be published in due course.

The ICO guidance covers matters such as what personal data is, lawfulness of processing, fairness and transparency. Data minimisation is also covered plus the right to be informed, rights of access, rectification and erasure. The right to restrict processing and data portability is covered too. The following are some key areas employers should be aware of.


Organisations must demonstrate that employees were:

  • informed of the purpose and use of their personal data, and
  • given a clear explanation of how it will be treated.

Employees must consent freely to specific use, purpose, or processing of data. Employees’ silence or lack of complaint about the processing, consent incorporated as a standard employment contract term or in data protection policies does not meet the standard required.

Employers must record the grounds on which they will be processing each separate category of employee data.

Lawful processing

Organisations may process personal information lawfully for six reasons including complying with an employment contract or legal obligation, and protecting the legitimate interests of the employer or a third party.


Unless a relevant exemption applies, data subjects can request and be given a copy of their reference. The obligation depends on whether the request is made of the organisation providing the reference (usually the previous employer) or the organisation who obtained the reference (the prospective employer).

CIPD members should see the more detailed information in our References law Q&As.

Email and internet

Data protection issues often surround email and internet use. Organisations need a comprehensive internet, social media and communications policy governing permitted data use.

Staff with smart phones, laptops, tablets or USB devices, can raise data issues, as can work use of employees’ own devices. An effective policy must cover permissible work use of all devices. ICO guidance suggests employers underestimate risks of personal use of devices for work. Information may be at risk if there are inadequate security measures.

Monitoring should not be intrusive, for example using traffic data (about the routing, duration or timing of messages) rather than accessing email content. Both the DPA and Telecommunications Regulations must be complied with.


Employers must demonstrate data protection compliance by training, auditing and documenting processing activities, and reviewing HR policies, as well as:

  • appointing a data protection officer (DPO) where appropriate – see below
  • only collecting personal data that is adequate, relevant and necessary
  • removing names from data (anonymisation) or use data encryption to anonymise it (pseudonymisation conceals identities but allows them to be recovered)
  • being open with employees about data processing and allowing them to monitor it
  • improving data security features
  • identifying and limiting any detrimental effects on individual privacy.

Data protection officers (DPOs)

Any organisation can appoint a DPO, but organisations must to appoint one if they:

  • are a public authority
  • carry out large scale systematic monitoring of individuals
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

DPOs report to the highest management level (usually the board). They must be given adequate resources, have a degree of independence, and protection from dismissal or detrimental treatment in connection with performing their duties.

Subject access requests (SARs)

SARs are written requests for information from individuals under the DPA. Organisations must respond for free and without ‘undue delay’, which means within a month. The number of SARs that can be made is unrestricted although some unspecific SARs or those made for non-data protection purposes can be refused.

SARs may be used to obtain preliminary information before a tribunal claim, although normal tribunal disclosure requirements entitle employees to more information than SARs. Organisations must comply if SARs arise during disciplinary processes too.

Employers should:

  • identify who is responsible for responding to SARs and provide sufficient training
  • make managers and HR aware of the DPA rules governing requests
  • deal with SARs efficiently.

When organisations receive SARs, they should:

  • check its scope
  • identify onerous requests or those made for non-data protection purposes
  • set clear deadlines for responding
  • follow a response procedure.

The ICO has a useful checklist. Breaching the SAR rules attracts fines.

Sharing and transferring personal data

Third parties, such as payroll providers, external HR and recruitment agencies process employee data. The employer must ensure the third party is data protection compliant and:

  • clarify the information needed and why, and what the receiving organisation will do with it
  • only share essential data
  • anonymise or pseudonymise the data
  • check contract terms with third parties are GDPR compliant
  • check the relevant requirements for overseas transfers of data.

It may be possible to avoid sending personal data, or there may be a legitimate processing ground (thereby avoiding issues of employee consent).

Data security

Data security must be appropriate to the processing risks. The size of the organisation, the nature of information processed, and the potential harm from security breaches are all relevant.

In addition to clear policies covering security incidents, organisations should:

  • carry out risk assessments of data systems and act on the results
  • maintain up-to-date security systems (for example, using firewalls and encryption technology)
  • restrict access to personal data to those who need it
  • train staff on data security
  • review data security regularly.

Record-keeping and correction

Organisations with over 250 employees must keep clear, accessible records of all their data processing activities. Smaller organisations only need to record any data processing they do regularly, or any processing of personal data which is sensitive, or could be harmful to, or intrude on the personal life of, the person concerned. The ICO can inspect records at any time. Data should only be kept for as long as needed to fulfil the purpose.

Organisations should:

  • think about the purpose of data retention
  • consider any legal requirement to keep the data for a period of time (tax records, for example)
  • decide whether the data is needed to defend a potential claim (such as a job applicant’s information who now alleges discrimination)
  • be able to justify retaining the data
  • respond to correction requests within the timeframe.

Find out more on UK statutory and recommended time periods for keeping HR records.

Organisations should:

  • Appoint a data protection officer to cover all aspects of information including DPA and Freedom of Information Act compliance.
  • Audit information systems to find out who holds what data, and why.
  • Consider how data is used, and issue guidelines for managers about how to manage data.
  • Ensure that all information collected complies with the DPA and GDPR.
  • Check the security of information stored.
  • Check the transfer of data internationally.
  • Check the organisation’s use of automated decision making.
  • Review policies and practice for example for references and the private use of telephones, email and post.
  • Monitor data compliance from May 2018 onwards.


Information Commissioner’s Office Tel: 01625 545745 (information line)

Information Commissioner’s Office – data protection reform, including preparing for the GDPR

GOV.UK - data protection

GOV.UK - personal data an employer can keep about an employee

General Data Protection Regulation Portal 

Acas – GDPR 

Books and reports

BYGRAVE, L.A. (2014) Data privacy law: an international perspective. Oxford: Oxford University Press.

CAREY, P. (2015) Data protection: a practical guide to UK and EU law. 4th rev ed. Oxford: OUP.

VOIGHT, P. and von dem BUSSCHE, A. (2017) The EU General Data Protection Regulation (GDPR): a practical guide. Springer.

Journal articles

GDPR: what employers need to know – 1. (2018) IDS Employment Law Brief. No 1091, April. pp10-19.

GDPR: what employers need to know – 2. (2018) IDS Employment Law Brief. No 1092, May. pp15-19.

HANNAH, D.R. and ROBERTSON, K. (2015) Why and how do employees break and bend confidential information protection rules? Journal of Management Studies. Vol 52, No 3, May. pp381-413

THOMPSON, S. (2018) What to do after the GDPR. People Management website. 18 May. 

TREVELYAN, L. (2018) The GDPR: everything you know about data protection is changingPeople Management website. 22 February. 

CIPD members can use our online journals to find articles from over 300 journal titles relevant to HR.

Members and People Management subscribers can see articles on the People Management website.

This factsheet was last updated by Lisa Ayling and Rachel Suff.

Lisa Ayling

Lisa Ayling: solicitor and employment law specialist

Lisa is a lawyer with many years’ experience of contentious and non‐contentious employment law. During her career she has advised companies and individuals on diverse legal issues including contractual disputes, restrictive covenants, TUPE, redundancy, unfair dismissal and discrimination. Her practical experience includes all stages of claims in the employment tribunal, High Court and Appeal courts and many negotiated settlement agreements.

As well as writing and editing employment law content for the CIPD, Lisa lectures extensively on employment law, including years as a senior lecturer and leader of the employment team at BPP University and on the LLM programme at Kingston University. She has delivered numerous professional development courses for other members of the law profession, as well as assessing trainees on their advocacy, research and drafting skills.

Rachel Suff

Rachel Suff: Employee Relations Adviser

Rachel Suff joined the CIPD as a senior policy adviser in 2014 to help shape the public policy debate to champion better work and working lives. Rachel is a policy and research professional with over 20 years’ experience in the employment and HR arena. An important part of her role is to ensure that the views of the profession inform CIPD policy thinking on health and wellbeing and employment relations. She has recently led a range of policy and research studies about health and well-being at work, and represents the CIPD on key advisory groups, such as the Royal Foundation’s Heads Together Workplace Wellbeing programme. Rachel is a qualified HR practitioner and researcher with a master’s in Human Resource Management from Portsmouth University and a post-graduate diploma in social research methods from Sussex University; her prior roles include working as a researcher for XpertHR and as a senior policy adviser at Acas. 

Explore our related content