Storing HR Records and GDPR: A Small Business Guide

HR files in inboxes, drives and drawers? GDPR isn’t a tech project, it’s knowing what you hold, why, and for how long. A practical small-business guide to tidy, secure HR records.
Simple records, short policies, good habits
GDPR for small business: HR records, retention and security
Picture this. Your HR data lives in a filing cabinet, a shared drive, and three inboxes. Nobody planned it. It just crept in. CVs, sick notes, old payroll files, leaver records. GDPR for small business is not a tech project. It is three simple questions: what do you hold, why, and for how long?
Hazel, our Chief Wellbeing Officer, keeps a flawless log of every biscuit she is owed. If only the rest of us were that organised.
Quick Answer Box
- Do this: know what personal data you hold, why you hold it, and set a retention period for each type.
- Avoid this: keeping everything forever, storing sick notes in a shared drive, and having no plan for a data breach.
- Write down: a retention schedule, your lawful basis for each record type, and a simple breach and subject access process.
What UK GDPR actually asks you to do?
Two laws set the rules in the UK: UK GDPR and the Data Protection Act 2018. They apply to every employer, big or small. No exceptions.
Here is the plain English version of the core principles:
- Lawful basis: have a valid reason for each record.
- Data minimisation: only keep what you need.
- Accuracy: keep records current and correct errors.
- Storage limitation: set a clear retention period.
- Security: protect data from loss, theft, and snooping.
> Expert note: "UK GDPR applies to personal data, meaning any information relating to an identifiable person."
> Source: ICO, Guide to UK GDPR.
Helpful resource: the ICO's guide has practical checklists for SMEs. See ICO: UK GDPR guidance.
Why this matters for SMEs?
- The UK has around 5.5 million small businesses, making up the vast majority of employers. Source: Department for Business and Trade, Business population estimates 2023.
- Half of UK businesses reported a cyber breach or attack in the last year. Source: Cyber Security Breaches Survey 2024, Gov.uk.
Translation for you and your team: GDPR for small business is about simple records, short policies, and good habits. Get the basics right and stress levels drop.
Which HR records to keep, and how long?
There is no single set number of years for most HR data. Retention depends on the legal need and how long claims or HMRC checks could arise. So you create a schedule and stick to it.
Common HR record categories
- Payroll and tax records. HMRC sets specific periods. Check the current PAYE guidance on Gov.uk before you fix your timeline.
- Statutory pay records. SMP and SSP have their own rules which change. Confirm the latest on Gov.uk.
- Right to work checks. Keep for the employment period and a set time after. Follow current Home Office guidance. Get the initial check right to avoid trouble. Our guide to right to work checks helps you avoid the usual traps.
- Recruitment records. Keep for a short, set time to handle complaints or queries. Then delete.
- Working time and holiday records. Keep enough to prove compliance. Record duties may tighten under the Employment Rights Act 2025. Check the live position before you act.
Sample retention planner
| Record type | Lawful basis | Typical driver | Action |
|---|---|---|---|
| Payroll and PAYE | Legal obligation | HMRC rules | Follow current Gov.uk retention period |
| SMP/SSP records | Legal obligation | Statutory pay rules | Follow current Gov.uk guidance |
| Right to work | Legal obligation | Home Office guidance | Keep for employment plus set period, then delete |
| Candidate data | Legitimate interests | Time to respond to queries | Keep briefly, then delete |
| Working time/holiday | Legal obligation | ERA and WTR duties | Keep enough to show compliance |
Principle to stick to: keep each record only while you have a real reason. Then delete or anonymise. "Just in case, forever" is a risk, not a plan.
Store HR data securely
Hybrid work means staff data sits on laptops, phones, and home Wi-Fi. That is fine if you set a few basics.
Practical measures for small teams
- Strong, unique passwords and multi-factor authentication for systems with staff data.
- Full disk encryption on laptops and mobiles.
- Access on a need-to-know basis. Payroll is not a team sport.
- No staff data in personal email or open shared folders.
- Secure disposal. Shred paper, wipe devices.
You do not need a huge budget. You do need to know where data lives and close obvious gaps.
Special category data needs extra care
Health records, sick notes, fit notes, and occupational health reports are special category data. So are details on race, religion, and trade union membership.
Treat this data with extra care:
- Store it separately from general personnel files where you can.
- Restrict access to named people only.
- Never share health details with the wider team.
- Keep it only for as long as needed for the clear purpose.
If you manage absence, you are handling special category data. Check where it is kept and who can open it.
Subject access requests: be ready
Any current or former worker can ask for a copy of their personal data. That is a subject access request. They often land during a dispute.
Key points to remember:
- You generally have one month to respond. Complex cases can extend. Check the current timescales on the ICO site.
- The clock starts as soon as the request is made, even in a short email.
- You usually cannot charge a fee.
Plan now. Decide who leads, where data sits, and how you gather it fast.
If data goes missing
A lost laptop. An email sent to the wrong person. A spreadsheet shared in error. These are personal data breaches. Your response matters.
Four steps
1) Contain it. Recover devices, reset access, recall emails where possible.
2) Assess risk to the people affected.
3) Report if needed. If rights are at risk, you may need to report to the ICO within 72 hours. See ICO breach reporting guidance.
4) Tell affected staff if the risk to them is high.
Log every breach. Even the ones you choose not to report.
What to write down?
Keep it short and useful:
- A retention schedule listing each record type, why you hold it, and for how long.
- Your lawful basis for staff data, plus the added condition for special category data.
- Who has access to what, and how access is removed when someone leaves.
- A simple subject access playbook: who leads, where data is, how to export it.
- A breach process and a breach log.
Two clear pages that people follow beats a 50-page policy nobody reads.
Common mistakes to avoid
- Thinking GDPR does not apply because you are small.
- Keeping everything forever to be "safe".
- Storing sick notes and health data in open folders.
- Guessing how long to keep right to work or payroll records.
- No SAR plan until one arrives.
- Treating a lost laptop as only an IT issue.
Final thoughts and next steps
GDPR for small business is about good housekeeping. Decide what you hold, why, and for how long. Store it safely. Handle health data with care. Know how to respond to a request or a breach. Nail the retention schedule and the rest becomes manageable.
If your HR records live in three places and none of them feel tidy, that is exactly what we sort in an HR Health Check. Want a friendly sanity check first Put a short discovery call in the diary and we will map the gaps. Kettle On, Standards Up.
FAQs
- How long should I keep employee records in the UK?
Keep them for as long as there is a clear legal or business need, then delete or anonymise. Check Gov.uk for specific items like PAYE, SMP, and SSP.
- Do small businesses need a Data Protection Officer?
Most SMEs do not, but you still need someone responsible for data protection tasks. Check ICO criteria for when a DPO is required.
- What is a lawful basis for processing employee data?
Common bases include legal obligation, contract, and legitimate interests. Special category data needs an extra condition.
- How do I handle a subject access request?
Acknowledge fast, confirm identity, gather data from agreed sources, and respond within one month. Keep a log.
- What counts as a personal data breach?
Loss, theft, unauthorised access, or disclosure of personal data. Contain, assess, and report to the ICO if risk to people is likely.
- Is Excel or email OK for HR data?
Short term, with protection and access limits, maybe. Long term, use a secure HR system with access controls and audit trails.
Sources:

About Kate Underwood
HR consultant and founder of Kate Underwood HR. Providing HR Support for Small Businesses for over 10 years; in Hampshire, Dorset and across the UK.
