Payroll Data in the UK: GDPR, HMRC Records and Secure Handling

Collecting and paying wages means handling a lot of payroll data - from bank details and National Insurance numbers to tax codes and sick pay records.

If you’re a small business, getting this right isn’t just about accuracy and paying on time. You have strict legal duties under UK GDPR, the Data Protection Act 2018 and HMRC rules.

In this guide, we’ll break down what counts as payroll data, your legal obligations, how long to keep records, and practical steps to stay compliant and secure from day one.

What Counts As “Payroll Data” And Why Does It Matter?

Payroll data is any information you process to pay workers and comply with employment and tax laws. That usually includes:

• Identity details: full name, address, date of birth, NI number
• Employment details: job title, start date, hours, pay rate, bonuses, deductions
• Financial details: bank account and sort code
• Tax and benefits: tax code, student loan status, pension contributions, attachments of earnings
• Leave and statutory pay: sick pay, maternity/paternity pay, holiday taken
• Right to work checks and copies of relevant documents

This is highly sensitive from a privacy and fraud-risk perspective. UK GDPR requires you to process it lawfully, transparently and securely, and HMRC expects accurate records to support PAYE reporting and audits.

Which UK Laws Apply To Payroll Data?

You’ll typically need to comply with:

• UK GDPR and the Data Protection Act 2018 – governs how you collect, use, share and secure personal data. You must have a lawful basis, inform staff, and implement appropriate security.
• Employment law – including the Employment Rights Act 1996 and National Minimum Wage/National Living Wage rules. You must keep adequate wage records to show compliance.
• HMRC rules – including PAYE and Real Time Information (RTI) reporting. You must keep accurate payroll records for prescribed periods.
• Pensions law – auto-enrolment duties and records for contributions and opt-outs.

Most small businesses are the “controller” of payroll data. If you use a payroll provider or accountant to run payroll, they’ll usually be your “processor”, which triggers extra contractual and due diligence duties (more on this below).

What Is The Lawful Basis For Processing Payroll Data?

Under UK GDPR, you must identify a lawful basis for each processing activity. For payroll, the most common are:

• Contract – you need to process data to perform the employment contract (e.g. paying wages, administering benefits).
• Legal obligation – you’re legally required to process and report data to comply with PAYE, statutory sick pay/maternity pay, pensions, and record-keeping laws.
• Legitimate interests – for limited purposes not covered above, provided your interests aren’t overridden by employees’ rights (e.g. minor internal reporting). Conduct and document a balancing test.

Be careful with any information that may reveal protected characteristics or health data (for example, fit notes or long-term health conditions supporting SSP). That can be “special category data” which requires an additional condition (commonly “employment, social security and social protection law” obligations).

What Information Do You Need To Give Staff?

Transparency is a core GDPR principle. You should provide workers with a clear privacy notice explaining what payroll data you collect, why you need it, who you share it with (e.g. payroll provider, HMRC, pension provider), how long you keep it and their rights.

Practically, include a link to your internal privacy notice in onboarding materials and your handbook. Pair this with clear policies around IT, data access and acceptable use so everyone understands expectations from day one. Many employers package these in a Staff Handbook along with an Workplace Policy suite for consistency and ease of updates.

How Long Should You Keep Payroll Records?

Retention isn’t one-size-fits-all. Set periods that meet legal requirements without keeping data longer than necessary. Key timeframes include:

• PAYE records: Keep for at least 3 years from the end of the tax year they relate to (HMRC can check PAYE, tax and NI contributions).
• National Minimum Wage: Keep records for 6 years to evidence compliance (this aligns with the longer look-back now commonly used).
• Statutory payments (SSP, SMP, SPP, ShPP): Keep records for at least 3 years after the end of the tax year in which the payment was made.
• Pension auto-enrolment: The Pensions Regulator generally expects 6 years for most records (4 years for opt-out notices).
• General limitation periods: Wage or contract claims can have up to a 6-year limitation period in civil courts (shorter in employment tribunals), which often supports a 6-year retention for core pay records.

Document your rationale in a retention schedule and apply it consistently. Don’t forget to securely delete or anonymise data when the retention period expires.

What Security Measures Should You Have In Place?

Payroll data is a high-value target. UK GDPR requires “appropriate technical and organisational measures.” For a small business, that usually means:

• Access controls: Strictly limit payroll data access to those who need it (principle of least privilege). Use named accounts, not shared logins.
• Secure storage: Encrypt devices and storage, use strong passwords and multi-factor authentication, and avoid unencrypted spreadsheets.
• Vendor security: If you use cloud storage or payroll software, check security certifications and data residency. If you’re weighing common tools, this discussion of whether Google Drive is GDPR compliant highlights the kind of checks to make.
• BYOD and mobile: If staff access payroll systems on personal devices, have clear rules, mobile device management (MDM) and the ability to remote wipe. These BYOD GDPR traps for employers are common in small teams.
• Training: Regular refresher training on phishing, safe handling of payroll files and incident reporting.
• Incident response: A clear plan for suspected breaches, including assessment, containment, ICO reporting (if required) and communications. Many businesses adopt a formal Data Breach Response Plan.

Keep a record of your security measures and reviews. If you change systems or providers, reassess risks and update your records accordingly.

Using Payroll Providers, Accountants And HR Platforms

Outsourcing payroll can be efficient, but it doesn’t outsource accountability. You remain the controller and are responsible for ensuring any processor meets GDPR standards.

Before you appoint a provider, carry out due diligence on security, data locations, sub-processors, certifications, and breach history. Then put a compliant Data Processing Agreement in place covering the Article 28 requirements (instructions, confidentiality, security, sub-processing controls, audits, assistance with rights requests and breach handling).

If you share data with another controller (for example, your pension provider), consider whether a Data Sharing Agreement is appropriate to document roles, responsibilities and safeguards.

International transfers are another key area. If any payroll data leaves the UK (for example, your provider uses support staff overseas), make sure there is an appropriate transfer mechanism in place (such as the UK IDTA or the UK addendum to the EU Standard Contractual Clauses) and complete a transfer risk assessment.

Dealing With Staff Data Requests (SARs)

Employees and workers can ask for copies of their personal data under a Subject Access Request (SAR). Payroll data is a common target because it’s structured and directly affects pay.

Key points to remember:

• Respond without undue delay and within one month (extensions are limited and must be justified).
• Verify identity if needed, and search across systems that may hold payroll data – payroll software, HR files, emails and messaging platforms.
• Check for third-party data and legally privileged documents, and consider lawful redactions where appropriate.
• Keep a clear audit trail of your search and response.

It helps to have a standard operating procedure and templates ready. Many SMEs prepare a simple SAR workflow with an internal form and response template; practical tips are set out in these resources on Subject Access Request templates, SAR deadlines and the key SAR exemptions you can rely on in limited circumstances.

What Policies, Records And Documents Should You Have?

Good documentation shows compliance and helps you work consistently as you grow. For payroll data, consider:

• Employee privacy notice – tailored to staff, clearly covering payroll purposes, sharing and retention.
• Data map/record of processing – map what payroll data you hold, where it flows and who has access.
• Retention schedule – set and apply timeframes with clear prompts for deletion.
• Information security policy – including access controls, password rules, device encryption, approved tools and incident reporting.
• Acceptable use and BYOD policy – if people access systems on personal devices.
• Data Processing Agreement – with your payroll provider and any other processors.
• Data Breach Response Plan – who does what and when.
• Training records – short, regular staff training goes a long way; keep evidence.

If you’re putting these foundations in place, a bundled approach like a GDPR Package or Data Protection Pack can help you cover the essentials efficiently.

Practical Steps To Get Payroll Data Right From Day One

1) Choose Tools And Vendors Carefully

Pick payroll and HR platforms designed for UK businesses with strong security features (MFA, encryption, role-based access). Check where data is stored and how backups and support work. Build vendor exit and data export into your plan so you’re not locked in.

2) Set Up Your Access And Controls

Create named user accounts, apply least-privilege access and use MFA for any system holding payroll data. Keep a joiners, movers and leavers checklist so permissions are added and removed promptly. Avoid sending payroll files by email unless encrypted.

3) Standardise Your Intake And Updates

Use a single, secure process for collecting starters’ details and changes (bank details, tax code, student loan status). Verify changes like bank details through a second channel to reduce fraud risk. Store supporting documents in the payroll system, not in ad hoc folders.

4) Document Your Retention And Deletion

Agree retention periods for each payroll dataset and diarise deletion. If you keep backups, make sure they’re factored into your deletion plan. Where feasible, anonymise old data instead of storing identifiable records indefinitely.

5) Train Your Team

Short, practical training on phishing, safe file handling and spotting suspicious change requests can prevent most incidents. Include payroll-specific scenarios in your training and onboarding materials, ideally within your Staff Handbook.

6) Prepare For Incidents And Requests

Have a simple incident playbook with escalation paths and decision points for breach reporting. Keep your SAR process, templates and logs ready so you can respond within the one-month deadline. If you’re unsure, get early advice - a short consult can save time and risk.

Common Pitfalls To Avoid

• Unmanaged spreadsheets: Payroll spreadsheets copied across emails and desktops quickly become uncontrolled - move to a secure system and lock down exports.
• Over-collection: Collect only what you need. For example, don’t copy passports to run routine payroll if a NI number and right to work check are already verified elsewhere.
• Poor change controls: Bank detail change scams are on the rise. Always verify changes via an independent channel before updating payroll.
• No processor contracts: If you outsource payroll without a robust DPA, you’re exposed. Put a compliant Data Processing Agreement in place with your provider.
• BYOD blind spots: Personal devices accessing payroll emails or files without MDM and clear policies are a frequent breach vector. Address these BYOD traps early.
• Late SAR responses: Missing the one-month SAR deadline creates regulatory risk. Establish a process and lean on guidance around SAR timelines and exemptions.

How Payroll Data Interacts With Wider HR And Compliance

Payroll doesn’t live in a vacuum. It touches recruitment, benefits, performance and offboarding. Make sure your contracts and policies align with how you pay - for example, pay frequency, commission structures, deductions and overtime rules should match your Employment Contract and handbook.

If you track working time for payroll, ensure your approach complies with Working Time Regulations and any applicable collective agreements, and be clear about monitoring and privacy. If you operate in a commission-driven environment, set out the terms clearly so payroll can administer them consistently.

Do You Need A DPIA For Payroll?

A Data Protection Impact Assessment (DPIA) is recommended where processing is likely to result in high risk. Routine payroll processing will not always trigger a DPIA, but it can be sensible if you’re introducing a new system, significantly changing processing, transferring data outside the UK, or combining payroll data with monitoring tools.

A short DPIA helps you identify risks (for example, unauthorised access, transfer risks, or over-retention) and record mitigations. It also demonstrates accountability if the ICO ever asks how you reached your decisions.

Key Takeaways

• Payroll data is high-risk personal data. Process it on a lawful basis (usually contract and legal obligation), be transparent with staff and apply strict security.
• Set clear retention periods: 3 years for PAYE records, 6 years for National Minimum Wage records, and appropriate timeframes for statutory payments and pensions.
• If you outsource to a payroll provider, carry out due diligence and put a robust Data Processing Agreement in place. Consider international transfer rules if data leaves the UK.
• Prepare for SARs with a documented process, templates and timelines, using practical guidance on SAR templates and deadlines.
• Strengthen day-one controls: choose secure tools, limit access, manage BYOD risks, train your team and keep a Data Breach Response Plan ready.
• Align your payroll processes with your employment documentation and internal policies so what you pay matches what you’ve promised on paper.

If you’d like tailored advice on payroll data compliance, contracts or privacy documentation, you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.