GDPR for HR Consultants: Employee Data, Disciplinary Records, and Client Obligations

If you provide outsourced or retained HR services to businesses, you are a data processor under GDPR. Every time you access an employee's personnel file, handle a sickness absence record, or manage a disciplinary process on behalf of a client business, you are processing personal data on that client's behalf. That classification carries direct legal obligations — and ignoring them puts both you and your clients at regulatory risk.

This guide covers what GDPR means in practice for outsourced HR consultants and HR service providers: the mandatory agreements you need with every client, special category data in the employment context, disciplinary and recruitment records, subject access requests, TUPE obligations, and how to structure compliant relationships with your client businesses.

You Are a Data Processor — and That Changes Everything

Under GDPR, a data controller determines why and how personal data is processed. A data processor handles data on the controller's behalf. When you manage HR functions for a client business, the client is the controller — they decide what employee data exists and why — and you are their processor.

This is not a formality. As a processor, you have direct obligations under Articles 28, 29, and 32 GDPR. You can face regulatory action independent of your client. The ICO has taken enforcement action against processors, not just controllers. Your contractual indemnities from clients do not eliminate your regulatory exposure.

Mandatory Data Processing Agreements with Every Client

Article 28 GDPR requires a written Data Processing Agreement (DPA) between you and every client business before you begin handling their employee data. Operating without a DPA — even informally, even for a single project — is a breach of GDPR for both parties.

Your DPA must specify the subject matter, duration, nature, and purpose of the processing; the type of personal data involved (names, addresses, salary information, performance data, health records); the categories of data subjects (employees, job applicants, former employees); and your obligations and rights as processor.

It must also require you to process data only on documented instructions from the client; ensure staff handling the data are bound by confidentiality; implement appropriate technical and organisational security measures; assist the client with DSARs, data breach notifications, and Privacy Impact Assessments; delete or return all data at the end of the contract; and make available information necessary to demonstrate compliance.

If you do not have DPAs with your current clients, this is your most urgent compliance gap. Custodia can help you generate a compliant DPA template tailored to HR service providers.

Special Category Data in Employment HR

Employment HR is saturated with special category data — the most sensitive categories under Article 9 GDPR, which require an explicit condition to process in addition to a standard lawful basis. Common examples in HR include:

• Health data: sickness absence records, fit notes, occupational health reports, disability-related adjustments, return-to-work documentation
• Trade union membership: relevant to collective bargaining, industrial action, and some disciplinary contexts
• Religious or philosophical beliefs: relevant to reasonable adjustments, annual leave requests, dietary requirements
• Racial or ethnic origin: relevant to equal opportunities monitoring

Processing special category data requires an Article 9 condition in addition to an Article 6 lawful basis. For employment-related processing, the most relevant condition is Article 9(2)(b) — processing necessary for carrying out obligations and exercising specific rights in the field of employment law — which in the UK is given effect by Schedule 1 of the Data Protection Act 2018.

You cannot rely on employee consent as your primary basis for routine employment processing — GDPR recognises the inherent power imbalance in employment relationships means consent is rarely freely given.

Disciplinary and Grievance Records: What to Retain and for How Long

Disciplinary and grievance records are among the most sensitive documents you will handle for clients. GDPR's storage limitation principle requires you to retain records only for as long as there is a legitimate purpose:

• Formal written warnings: retain for the duration of the warning plus a reasonable period thereafter
• Final written warnings: retain for 12 months from the date of the warning
• Dismissal records: retain for at least 6 years (the limitation period for wrongful dismissal claims in England and Wales)
• Grievance records: retain alongside the relevant disciplinary records where connected; otherwise 6 years
• Records that informed a tribunal claim: retain until the claim is fully resolved plus limitation periods

Critically, once the retention period expires, records should be deleted — not archived indefinitely.

Recruitment Data Handled on the Client's Behalf

When you manage recruitment for a client, you are processing job applicant personal data as a processor:

• Unsuccessful applicants: retain application data for 6 months after the recruitment process closes, then delete — unless the applicant has consented to being kept on a talent pool
• Talent pools: require explicit consent from the applicant
• Interview notes: retain for the same period as other recruitment records and delete promptly
• Pre-employment checks: retain records of checks performed but delete detailed reference letters after appointment

Subject Access Requests in Employment Contexts

Employees have the right to request access to their personal data under Article 15 GDPR. In the employment context, DSARs are frequently used before or during tribunal claims — they are a discovery tool as much as a rights exercise.

The controller has one calendar month from receipt of the request to respond. Note that some employment-specific guidance refers to "30 working days" — this is not correct under UK GDPR; the correct period is one calendar month (extendable by two further months in complex cases).

As processor, you must assist the controller in responding to DSARs by searching your own systems for personal data relating to the requester and providing that data to the client promptly.

Right to Erasure: Employee Requests to Delete Their Data

Most employee data is retained on the basis of legal obligation (payroll records for HMRC) or legitimate interests (defending tribunal claims), neither of which yields to an erasure request. However, employees may legitimately ask for erasure of old disciplinary records that have passed their retention period, consent-based data where consent has been withdrawn, or data that was processed unlawfully from the outset.

Document your response to every erasure request. You must respond within one calendar month.

Background Checks and Criminal Conviction Data

Criminal conviction data is in a special category under Article 10 GDPR. For HR consultants managing DBS checks:

• Only request the level of DBS check appropriate for the role (Basic, Standard, Enhanced, Enhanced with Barred List)
• Do not retain copies of DBS certificates — note the outcome and destroy the certificate
• Record the date of the check, the level, and the outcome — retain this record only for the duration of the employment

TUPE Transfer Data Obligations

When a business or service transfers from one employer to another under TUPE, this creates a data-sharing requirement. From a GDPR perspective, the transferor has a legitimate legal obligation basis for disclosing employee data; the transferee must have a compliant privacy notice before or at the point of transfer; both parties should have a data sharing agreement in place; and transferred employee data should not be used for new purposes without fresh notice and appropriate basis.

Payroll Data Processing

Payroll data includes bank account details, national insurance numbers, salary, benefits, tax codes, and pension information. When you process payroll on behalf of a client, you are a processor and the client is the controller — a DPA is required before any payroll data is shared. HMRC requires employers to retain payroll records for at least 3 years from the end of the tax year to which they relate.

Monitoring Employee Communications

Monitoring employee email, internet usage, or other activity must be proportionate, transparent, documented (a DPIA is likely required for systematic monitoring), and have a lawful basis. Advising on covert monitoring without legal authority is high-risk. Always recommend clients take legal advice before implementing monitoring programmes.

HR Software as Sub-Processors

If you use HR software platforms to manage client employee data — BrightHR, Breathe HR, Personio, or similar — those platforms are your sub-processors under Article 28 GDPR. You must execute a DPA with each HR software provider, obtain your clients' authorisation before using sub-processors, and you remain liable to your clients for any failures by your sub-processors.

Data Breaches Involving Employee Records

As processor, you must notify the controller without undue delay after becoming aware of a breach. The controller then has 72 hours to decide whether to notify the ICO. Maintain an internal breach log regardless of whether external notification is made. Employee data breaches attract significant ICO scrutiny because of the sensitivity of the information involved.

Marketing to SME Employers for Retained HR Services

When marketing your HR services to prospective clients, PECR applies alongside GDPR. For sole traders and partnerships, you need opt-in consent or a soft opt-in. For limited company contacts in a business capacity, legitimate interests basis is available with a clear unsubscribe mechanism. Never purchase email lists without verified consent provenance.

Run a free scan of your own HR consultancy website at https://app.custodia-privacy.com/scan to understand what data your site is collecting about prospective clients. Custodia provides AI-powered compliance tools for small businesses and professional service providers — including DPA templates, privacy notices, and ongoing compliance monitoring tailored to HR service businesses.

GDPR compliance is not optional for HR consultants: the data you handle is among the most sensitive that exists, and handled well, strong data protection practice is a genuine differentiator when competing for retained HR contracts with SME employers who take their own obligations seriously.