Resources
Post a Job
 Special offer 

Jumpstart your hiring with a £100 credit to sponsor your first job.*

Sponsored Jobs posted directly on Indeed are 65% more likely to report a hire than non-sponsored jobs**
  • Visibility for hard-to-fill roles through branding and urgently hiring
  • Instantly source candidates through matching to expedite your hiring
  • Access skilled candidates to cut down on mismatched hires
*The £100 Sponsored Job credit offer is only available for new accounts in the UK that post a job and expires one year after account creation. Upon expiration of the credit, users are charged based on Sponsored Job budget. Terms, conditions and quality standards apply **Indeed data, United Kingdom, Q2 2024

Data protection and HR GDPR for employers

Edited by Indeed Employer Content Team
Last updated 25 November 2025

Your next read

Company Policies: 6 Policies to Consider for Your Business
Gender Equality in UK Workplaces
What is people analytics?
Company Policies: 6 Policies to Consider for Your Business
Gender Equality in UK Workplaces
What is people analytics?
Stages of the recruitment process for SMEs
HR shared services
Effective Business Partnering: A Guide to HR Models and Mindsets
Our mission

Indeed’s Employer Resource Library helps businesses grow and manage their workforce. With over 15,000 articles in 6 languages, we offer tactical advice, how-tos and best practices to help businesses hire and retain great employees.

Read our editorial guidelines
9 min read

For your company’s HR team, GDPR or the General Data Protection Regulation is an important data protection regulation to stay up to date with. This is because your HR team is primarily responsible for employee data in areas like recruitment information, people data analysis and performance strategy analysis. See more: How to Write an Employment Verification Letter

Ready to get started?

Post a job

Ready to get started?

Post a job

Why is HR GDPR compliance important?

The Data Protection Act 2018 and General Data Protection Regulation (GDPR) came into play in order to protect individuals’ misuse of data in the digital age. Negligence of both the Data Protection Act and the GDPR can may lead to regulatory action, including potential financial penalties.

Employers often create internal policies intended to align with the GDPR and the Data Protection Act 2018, based on official guidance. Some organisations aim to ensure their teams understand relevant data-protection concepts, based on official guidance. When creating policies intended to align with GDPR requirements, many organisations consult professional legal advisers. This can include areas like:

  • How to deal with possible GDPR breaches in your company;
  • Gaining a greater understanding of what compliance with the GDPR entails for your company;
  • Understanding whether an organisation acts as a data processor or controller can clarify its responsibilities under GDPR; 
  • Providing advice to your HR team on following the GDPR;
  • How to gain consent from your customers and how you plan to use their data;
  • Creating GDPR contracts.

UK data protection legislation and legal bodies

It can be helpful to understand the legislation around data protection in the UK if you are processing customer or employee data – in other words, if your HR team is processing people’s data. There are three acronyms that you should remember for appropriate HR GDPR compliance, as they will be mentioned frequently throughout the article:

What is the Information Commissioner’s Office (ICO)?

The Information Commissioner’s Office (ICO) refers to the body that promotes and ensures the protection of data through legislation. Although it works with legislation, the ICO operates separately from the UK government. You can contact the office in order to find out more about how to comply with the Data Protection Act 2018.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a regulation that ensures people have a right to access data that organisations hold on them. Part of the GDPR is the obligation to manage their data safely and correctly. According to the GDPR, individuals have the following rights with regard to the collection of their personal information:

  • Individuals have the right to be informed about the collection of their personal data;
  • They have the right to access this data;
  • They have the right to rectify this data;
  • They have the right to erase this data;
  • They have the right to restrict your processing of this data;
  • They have the right to data portability;
  • They have rights in relation to ‘automated decision-making and profiling’.

Organisations typically document how employees have been informed of the collection and reasons for processing their data, including an explanation of how you are planning to use it. 

What is the Data Protection Act 2018 (DPA)?

The Data Protection Act (DPA) works alongside the GDPR to provide people with rights in relation to your processing of their personal data. The DPA states that all data processors must follow certain rules around how they use the data they collect from individuals (‘data subjects’). Data subjects have certain rights regarding their own access to this data.

How to create an HR action plan in compliance with the GDPR

Some organisations create an action plan with their HR team to help structure their GDPR-related activities. This can involve the following HR GDPR initiatives:

  • Assessing your current data systems, including the security of these systems;
  • Assessing how you are currently using sensitive personal data;
  • Regular monitoring of HR GDPR and company-wide GDPR compliance;
  • Checking the security of any international transfers of data that you make;
  • Reviewing your current policies and data handling practices surrounding personal references or the use of email, telephone or other mail delivery services.

It may be useful to understand your organisation’s role in the processing of individuals’ data. This is important, as depending on your role in the processing of their data, you may have greater responsibilities under the GDPR.

Deciding whether you are a data processor or data controller, or a joint data controller

An important part of working out which areas of the UK GDPR you need to comply with is working out whether you are a data processor, data controller or joint controller. Under the legislation, data controllers typically hold primary responsibility for GDPR compliance, ICO guidance explains that data controllers typically carry primary responsibility for determining how personal data is processed. 

Data controllers

A data controller decides how the data collected will be processed. Data controllers typically have more responsibilities under the GDPR, according to official guidance. 

According to ICO guidance, organisations may be considered data controllers when they determine the purposes and means of processing personal data:

  • You collect personal data for the purposes of your company processing it;
  • You and your company decide the reason for processing the data;
  • You get to decide whose data you are collecting;
  • You are collecting data from your employees;
  • Your relationship with the individuals you are collecting data from is direct;
  • You have decided who will be processing the data;
  • You are collecting data for your own commercial benefit;
  • You have a contract drawn up between you and your data subject that says you can collect their data.

If you are in any doubt about whether you are the sole controller of data, it may be helpful to seek legal advice if you are unsure. 

Joint controllers

Being a joint controller is very much like being a controller, except you are working with another controller to handle data. Joint controllers generally determine who will take primary responsibility for following the GDPR; ICO guidance notes that joint controllers each have responsibilities under the GDPR framework.

You are a joint controller if:

  • You are working with another controller on fulfilling the same processing objective;
  • You are processing data for the same reason as another controller you are working with;
  • You and another controller are both using the exact same sets of data for processing;
  • You created your data process with another controller;
  • Another controller is sharing your information management rules.

Regardless of whether you are responsible for the primary role of following the GDPR, all joint controllers should follow the GDPR, the ICO’s official guidance outlines potential regulatory actions that may apply in cases of serious non-compliance. 

Data processors

A data processor is responsible for processing the data of data controllers. You are working as a data processor if:

  • You are processing data on behalf of a data controller;
  • You are not responsible for deciding the reason for the collection of this personal data;
  • You are not responsible for deciding to collect the personal data;
  • You are not responsible for whether this data should be disclosed, including to individuals;
  • You are not deciding the lawful reasons for the collection of this personal data;
  • You are not responsible for the end result of the processing of the data you have collected;
  • A third party has given you the data.

Although being a data processor means you have fewer responsibilities for following the GDPR than the data controller. ICO resources outline the obligations that apply to organisations acting as data processors. 

What does ‘processing’ mean according to the UK GDPR?

According to Article 4 of the GDPR, ‘processing’ means: ‘any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction’.

Types of data your HR team might be processing

There are two main types of people data that your HR team might be processing.

They are the following categories:

  • Personal data, which includes identifiers such as location, name or identifying number, as well as any other notes or appraisals;
  • Sensitive data, which includes criminal records, the status of an employee such as protected characteristics like race, sex, religion, health, sexual orientation, plus any trade union information and genetic or biometric data such as fingerprinting.

Health-related information is treated as special category data and may be subject to stricter conditions under UK data-protection law. Employers sometimes access health-related information to support workplace adjustments, where appropriate and lawful.

Processing personal data vs special category sensitive data

ICO guidance explains the conditions that apply when organisations process special category data. ICO guidance explains that organisations processing special category data generally need both a lawful basis under Article 6 and a separate condition under Article 9. There are also ‘10 conditions for processing special category data in Article 9 of the UK GDPR’ and ‘Five of these require you to meet additional conditions and safeguards set out in UK law, in Schedule 1 of the DPA 2018.’ Some organisations prepare policy documents or DPIAs when handling higher-risk data, following ICO guidance. 

What penalties are there if I do not follow UK GDPR rules?

If your HR department does not follow the GDPR correctly or fails to address any concerns through an enforcement notice or working with inspection, then you may receive large penalties. Official ICO resources outline potential maximum fines under the GDPR framework. These represent upper limits and are described as rare and typically associated with the most serious breaches. However, these fines are extremely rare and reflect the most grave implications of a GDPR breach, such as threat to life or the UK economy.

Adhering to the GDPR and DPA is a primary concern for your organisation, especially your HR team and their processing of data such as personal and sensitive data on your employees. Organisations often familiarise themselves with the GDPR and DPA, making sure that you have a legal team advising you on any company policy you create around adherence to current UK government legislation on data protection.

Some organisations familiarise themselves with how personal and special category data are defined in official guidance. Many organisations also aim to understand the requirements for processing special category sensitive data. Failure to process personal and sensitive data correctly could result in potential regulatory consequences from the Information Commissioner’s Office. It is a good idea to create an HR GDPR action plan, with your HR team communicating processes for correct GDPR compliance to your entire company. Some organisations designate a data protection officer as part of their internal governance structure.

Recent HR Policies Articles

See all articles in this category
Create a culture of innovation
Download our free step-by-step guide on encouraging healthy risk-taking
Get the guide

Three individuals are sitting at a table with a laptop, a disposable coffee cup, notebooks, and a phone visible. Two are facing each other, while the third’s back is to the camera. The setting appears to be a bright room with large windows.

Ready to get started?

Post a job

Related articles

Safe work practices in the UK
Read article
What Is the Definition of an Employer?
Read article
The complete guide to fire safety in the workplace, for employers
Read article

Indeed’s Employer Resource Library helps businesses grow and manage their workforce. With over 15,000 articles in 6 languages, we offer tactical advice, how-tos and best practices to help businesses hire and retain great employees.

Read our editorial guidelines