Kate Underwood HR & Training logo header
Home
Service Plans
HR Advice LineHR ProtectHR ExcelHR Business PartnerFractional HR Director
Additional Services
Independent AppealsSafeVoiceHR SoftwareFlu Voucher 2025Employment Rights Act AdviceYourAppraisal
KUHR Training (Our LMS)
Your PeoplePricingPodcastBlog
About UsPress
Book a Call
  1. Home
  2. Blog
  3. Legal
  4. Storing HR Records and GDPR: A Small Business Guide
Legal

Storing HR Records and GDPR: A Small Business Guide

kate-underwood
14 January 2026
8 min read
Storing HR Records and GDPR: A Small Business Guide

HR files in inboxes, drives and drawers? GDPR isn’t a tech project, it’s knowing what you hold, why, and for how long. A practical small-business guide to tidy, secure HR records.

#gdpr-hr-records#gdpr-compliance-for-small-business#hr-records-retention-policy

Simple records, short policies, good habits

GDPR for small business: HR records, retention and security

Picture this. Your HR data lives in a filing cabinet, a shared drive, and three inboxes. Nobody planned it. It just crept in. CVs, sick notes, old payroll files, leaver records. GDPR for small business is not a tech project. It is three simple questions: what do you hold, why, and for how long?

Hazel, our Chief Wellbeing Officer, keeps a flawless log of every biscuit she is owed. If only the rest of us were that organised.

Quick Answer Box

  • Do this: know what personal data you hold, why you hold it, and set a retention period for each type.
  • Avoid this: keeping everything forever, storing sick notes in a shared drive, and having no plan for a data breach.
  • Write down: a retention schedule, your lawful basis for each record type, and a simple breach and subject access process.

What UK GDPR actually asks you to do?

Two laws set the rules in the UK: UK GDPR and the Data Protection Act 2018. They apply to every employer, big or small. No exceptions.

Here is the plain English version of the core principles:

  • Lawful basis: have a valid reason for each record.
  • Data minimisation: only keep what you need.
  • Accuracy: keep records current and correct errors.
  • Storage limitation: set a clear retention period.
  • Security: protect data from loss, theft, and snooping.

> Expert note: "UK GDPR applies to personal data, meaning any information relating to an identifiable person."

> Source: ICO, Guide to UK GDPR.

Helpful resource: the ICO's guide has practical checklists for SMEs. See ICO: UK GDPR guidance.

Why this matters for SMEs?

  • The UK has around 5.5 million small businesses, making up the vast majority of employers. Source: Department for Business and Trade, Business population estimates 2023.
  • Half of UK businesses reported a cyber breach or attack in the last year. Source: Cyber Security Breaches Survey 2024, Gov.uk.

Translation for you and your team: GDPR for small business is about simple records, short policies, and good habits. Get the basics right and stress levels drop.

Which HR records to keep, and how long?

There is no single set number of years for most HR data. Retention depends on the legal need and how long claims or HMRC checks could arise. So you create a schedule and stick to it.

Common HR record categories

  • Payroll and tax records. HMRC sets specific periods. Check the current PAYE guidance on Gov.uk before you fix your timeline.
  • Statutory pay records. SMP and SSP have their own rules which change. Confirm the latest on Gov.uk.
  • Right to work checks. Keep for the employment period and a set time after. Follow current Home Office guidance. Get the initial check right to avoid trouble. Our guide to right to work checks helps you avoid the usual traps.
  • Recruitment records. Keep for a short, set time to handle complaints or queries. Then delete.
  • Working time and holiday records. Keep enough to prove compliance. Record duties may tighten under the Employment Rights Act 2025. Check the live position before you act.

Sample retention planner

Record typeLawful basisTypical driverAction
Payroll and PAYELegal obligationHMRC rulesFollow current Gov.uk retention period
SMP/SSP recordsLegal obligationStatutory pay rulesFollow current Gov.uk guidance
Right to workLegal obligationHome Office guidanceKeep for employment plus set period, then delete
Candidate dataLegitimate interestsTime to respond to queriesKeep briefly, then delete
Working time/holidayLegal obligationERA and WTR dutiesKeep enough to show compliance

Principle to stick to: keep each record only while you have a real reason. Then delete or anonymise. "Just in case, forever" is a risk, not a plan.

Store HR data securely

Hybrid work means staff data sits on laptops, phones, and home Wi-Fi. That is fine if you set a few basics.

Practical measures for small teams

  • Strong, unique passwords and multi-factor authentication for systems with staff data.
  • Full disk encryption on laptops and mobiles.
  • Access on a need-to-know basis. Payroll is not a team sport.
  • No staff data in personal email or open shared folders.
  • Secure disposal. Shred paper, wipe devices.

You do not need a huge budget. You do need to know where data lives and close obvious gaps.

Special category data needs extra care

Health records, sick notes, fit notes, and occupational health reports are special category data. So are details on race, religion, and trade union membership.

Treat this data with extra care:

  • Store it separately from general personnel files where you can.
  • Restrict access to named people only.
  • Never share health details with the wider team.
  • Keep it only for as long as needed for the clear purpose.

If you manage absence, you are handling special category data. Check where it is kept and who can open it.

Subject access requests: be ready

Any current or former worker can ask for a copy of their personal data. That is a subject access request. They often land during a dispute.

Key points to remember:

  • You generally have one month to respond. Complex cases can extend. Check the current timescales on the ICO site.
  • The clock starts as soon as the request is made, even in a short email.
  • You usually cannot charge a fee.

Plan now. Decide who leads, where data sits, and how you gather it fast.

If data goes missing

A lost laptop. An email sent to the wrong person. A spreadsheet shared in error. These are personal data breaches. Your response matters.

Four steps

1) Contain it. Recover devices, reset access, recall emails where possible.

2) Assess risk to the people affected.

3) Report if needed. If rights are at risk, you may need to report to the ICO within 72 hours. See ICO breach reporting guidance.

4) Tell affected staff if the risk to them is high.

Log every breach. Even the ones you choose not to report.

What to write down?

Keep it short and useful:

  • A retention schedule listing each record type, why you hold it, and for how long.
  • Your lawful basis for staff data, plus the added condition for special category data.
  • Who has access to what, and how access is removed when someone leaves.
  • A simple subject access playbook: who leads, where data is, how to export it.
  • A breach process and a breach log.

Two clear pages that people follow beats a 50-page policy nobody reads.

Common mistakes to avoid

  • Thinking GDPR does not apply because you are small.
  • Keeping everything forever to be "safe".
  • Storing sick notes and health data in open folders.
  • Guessing how long to keep right to work or payroll records.
  • No SAR plan until one arrives.
  • Treating a lost laptop as only an IT issue.

Final thoughts and next steps

GDPR for small business is about good housekeeping. Decide what you hold, why, and for how long. Store it safely. Handle health data with care. Know how to respond to a request or a breach. Nail the retention schedule and the rest becomes manageable.

If your HR records live in three places and none of them feel tidy, that is exactly what we sort in an HR Health Check. Want a friendly sanity check first Put a short discovery call in the diary and we will map the gaps. Kettle On, Standards Up.

FAQs

  • How long should I keep employee records in the UK?

Keep them for as long as there is a clear legal or business need, then delete or anonymise. Check Gov.uk for specific items like PAYE, SMP, and SSP.

  • Do small businesses need a Data Protection Officer?

Most SMEs do not, but you still need someone responsible for data protection tasks. Check ICO criteria for when a DPO is required.

  • What is a lawful basis for processing employee data?

Common bases include legal obligation, contract, and legitimate interests. Special category data needs an extra condition.

  • How do I handle a subject access request?

Acknowledge fast, confirm identity, gather data from agreed sources, and respond within one month. Keep a log.

  • What counts as a personal data breach?

Loss, theft, unauthorised access, or disclosure of personal data. Contain, assess, and report to the ICO if risk to people is likely.

  • Is Excel or email OK for HR data?

Short term, with protection and access limits, maybe. Long term, use a secure HR system with access controls and audit trails.

Sources:

  • ICO: UK GDPR guidance
  • Gov.uk: PAYE record keeping
  • Home Office: Right to work checks
  • Cyber Security Breaches Survey 2024
  • DBT Business population estimates 2023
Kate Underwood

About Kate Underwood

HR consultant and founder of Kate Underwood HR. Providing HR Support for Small Businesses for over 10 years; in Hampshire, Dorset and across the UK.

LinkedInBook a Call
Previous
The essential HR policies every small business needs
Next
Autumn Budget 2025: What it really means for small businesses

Areas Covered

We provide HR consulting services for small business owners across the UK, including:

Hampshire (Andover, Basingstoke, Fareham, Portsmouth, Southampton, Winchester), New Forest, London, Dorset (Bournemouth), Surrey (Guildford, Farnham)

Quick Links

  • Welcome
  • Pocket HR
  • About
  • Press
  • Media Kit
  • Blog

Resources

  • Podcast
  • HR Health Check
  • Book a Call
  • Holiday Entitlement Guide
  • HR Templates & Store
  • Monthly HR Checklist
  • Dignity at Work Toolkit
  • Newsletter
  • Privacy Policy
  • Cookie Policy
  • Terms & Conditions
  • RSS Feed

Quick Contact

  • Kate Underwood HR & Training

    32b, New Forest Enterprise Centre,

    Chapel Lane, Totton,

    Southampton SO40 9LA

  • 02382 025160
  • hello@kateunderwoodhr.co.uk

Follow Me

LinkedIn

Areas We Serve

HR Services for Small Businesses across the UK
Hampshire·Andover·Newbury·Portsmouth·Ringwood·Romsey·Salisbury·Southampton·Verwood·Winchester

© 2026 Kate Underwood HR & Training. All rights reserved.

Kate Underwood HR & Training logo footer