Why GDPR Is Central to HR Practice
HR teams handle some of the most sensitive information an employer holds — health conditions, disciplinary matters, salary details, performance assessments, and personal circumstances. Under UK GDPR, HR managers are responsible for ensuring this data is handled lawfully and securely.
Lawful Bases in Employment
Contract covers payroll and day-to-day HR. Legal obligation covers HMRC reporting and right to work checks. Legitimate interests covers proportionate monitoring. Consent is problematic in employment due to power imbalance — use sparingly.
Recruitment
Provide a candidate privacy notice at first contact. Retain unsuccessful candidate data for 6 months only. Disclose automated shortlisting tools. Conduct pre-employment checks on a valid legal basis.
Health Data
Store sickness and medical records separately with restricted access. Share occupational health reports on a need-to-know basis — functional impairment and adjustments, not diagnosis. Always have a DPA with your absence management system supplier.
Employee SARs
Respond within one calendar month. Search systematically — email, HR systems, manager files, instant messaging. Apply exemptions carefully for third-party information and legal privilege.
How Custodia Helps
Custodia's AI-powered compliance platform helps HR teams manage data protection systematically. Start your free trial.
Top comments (0)