Blog  /  How SMBs Can Protect Employee Data Under GDPR in 2026

How SMBs Can Protect Employee Data Under GDPR in 2026

Compliance • Onboarding | Jun 23, 2026 by George Koutras, 7 min read
Team members around a locked folder, representing secure employee data protection and GDPR compliance.

Most small and medium businesses think GDPR is about customer data: an accept-cookies banner and handling records with a bit more care than before might suffice. In practice, the data they handle most, and the data they're most likely to mishandle, is employee data, far more than third-party data from customers or website visitors.

Payroll, performance reviews, sick notes, contract details, disciplinary records. This is the most sensitive employee data under GDPR. It tends to sit in the background, behind cookies and the email of a customer who signs up for a demo. And if you have one EU-based employee, the regulation already applies to you.

This article covers what employee data falls under GDPR, what the regulation requires at each stage of employment, and the practical steps for a small company without a legal team. We're making it simple, since we acknowledge that GDPR is widely called almost impossible to satisfy in full, a running point of protest among the businesses it covers.

What Counts as Employee Data Under GDPR

Before you can find the gaps, it helps to know what the regulation treats as employee data in the first place.

The obvious and the overlooked

Start with what most people know: names, addresses, bank details, tax information. These are plainly confidential, and GDPR watches them closely. The trap is assuming the obvious list covers everything. Yes, you guessed it correctly: unfortunately, it doesn't. Several categories get glossed over:

  • IP addresses from login systems
  • health data attached to sick-leave requests
  • the scores employees get on performance reviews
  • disciplinary notes
  • biometric data, like a fingerprint used to enter the office or to clock in
  • workplace CCTV footage, sensitive enough that European companies have used it to prove a point and lost, because they never had permission to use it that way

This is why the difference between standard personal data and special category data matters. Special category data, from Article 9, covers health records, trade union membership, and biometric data, and it needs a higher protection standard than ordinary personal data.

Even informal data counts. A Slack message about an employee's medical appointment, or a spreadsheet tracking who called in sick, are personal data under GDPR. The rule reaches well past the systems you built on purpose for it.

CCTV is the sharpest example of how strict the law gets about purpose. The principle is plain: footage gathered for one reason can't serve another. Record someone on camera to keep the premises secure, and you can't later use that same footage to discipline them. An Irish hospice learned this the hard way and lost a case against its own employee. It had used cameras installed for safety to punish conduct they were never meant to monitor. The original reason for collecting the data governs what you can do with it.

Lawful basis, and why consent is the wrong default for employee data

Article 6 sets out six lawful bases for processing personal data: consent, performance of a contract, legal obligation, vital interests, public task, and legitimate interests. For employment, two carry most of the weight: performance of a contract, and legal obligation.

Consent is the problem basis at work, because the power imbalance between employer and employee means consent isn't freely given. GDPR sees it that way, and so do the ICO and most EU supervisory authorities. Their advice is consistent: don't lean on a blanket yes for routine employment processing. For special category data, Article 9(2)(b) is the usual basis, since it covers employment, social security, and social protection law.

Protecting Data Across the Employee Lifecycle

The employee lifecycle runs from the moment a candidate applies to the day they leave and you offboard them. Walking it stage by stage is the clearest way to cover every place the data lives.

Hiring and onboarding

During hiring, collect only what you need to evaluate the candidate, since you don't yet know how the relationship will go. A couple of things to avoid:

  • Don't ask for a national ID number on the application form. You don't need it until they're hired.
  • Don't ask for a tax ID up front either. In many countries it circulates freely, unlike the tightly restricted U.S. SSN, but you still shouldn't collect it before it's necessary.

Processing data with no real use at this stage only creates noise. For rejected applicants, set a retention period, write it down, and stick to it. Six months is common, since that's enough time for any discrimination claim to surface, which makes the records a defensive asset, though some jurisdictions allow up to a year. The cleaner setup deletes the data automatically and leaves an audit trail.

When you onboard someone, explain in writing what documents you'll collect, why, and how long you'll keep them, so everyone can read it and sign off. That's part of the GDPR transparency requirement in Articles 13 and 14, and it's a good habit besides, one that employee onboarding software makes routine. It's what you'd expect of a bank that runs face-scan onboarding: how long do you keep my face if I never open the account?

During employment and at exit

First, know where the data lives in a small company: email attachments, shared drives, paper files, personal laptops, and messaging apps. Plenty of confidential data sits in those channels. That isn't automatically wrong, but the first real step is knowing where it is, so no sick note slips through a channel you forgot to track.

Access control comes next. Not everyone needs a colleague's payroll data, and almost no one needs another person's health records. Use role-based access. A sales manager has no business seeing a design junior's health issues. Even basic permissions on shared folders start you off right.

At exit, sort the data into two piles. Personal data you no longer need for its original purpose, you delete. Data you must keep, you retain: tax records, and pension data that often runs six to seven years depending on the jurisdiction. Then decide what happens to the employee's personal devices.

Data type

Typical retention

Lawful basis 🇪🇺

Rejected applicant data

6 to 12 months

Legitimate interest, claim defense

Active employee records

Length of employment

Performance of a contract, Art 6(1)(b)

Tax and payroll records

6 to 7 years, varies by jurisdiction

Legal obligation, Art 6(1)(c)

Pension data

6 to 7 years, varies by jurisdiction

Legal obligation, Art 6(1)(c)

Health and biometric data

Only while genuinely needed

Art 9(2)(b)

The right to erasure, Article 17, applies here, but it has exceptions. An employee can't make you delete tax records you're legally required to retain. Their right to erasure runs into your legal duty to keep certain records, and the duty wins.

The Practical Steps

For a small company, especially a North American one that hires in Europe, a few steps carry most of the protection.

Data mapping, the one exercise that matters most

Data mapping is a list, and it does more than any other single exercise. Write down every system, folder, and tool that holds employee data: a Slack channel, a Google Drive folder, an .xlsx file on a personal laptop. For each one, note what type of data it holds, who has access, and whether a retention schedule exists.

This isn't a formal DPIA, or even close to that. Rather than that, it's the minimum viable version that gets you covered, and it pairs well with an HR compliance checklist. Most SMBs under 250 employees are exempt from keeping the full Article 30 records of processing. A basic data map still protects you when a supervisory authority asks questions or litigation looms. Enforcement continues to grow, too. By January 2025, aggregate GDPR fines since 2018 had passed EUR 5.88 billion. Better not to add to that number.

Subject Access Requests, what to do when an employee asks

A Subject Access Request, under Article 15, is any employee asking for a copy of all the personal data you hold on them. You have 30 calendar days to respond, with a one-month extension if the request is complex.

To handle one, provide all the personal data in a structured format. Know what you can hold back, such as anything that would reveal a third party's data. Match the format to the request: an electronic request gets an electronic response.

Working with dozens of companies, we know most SMBs have never received a SAR, and the ones that do would scramble to pull it together in time. A basic process, even a one-page note or a saved email, is your barrier against that panic. SARs often arrive from current employees during disputes or disciplinary processes. If you plan to act on an employee, expect a SAR to land, and be ready for the timing. The same goes for related duties like the EU Whistleblower Directive, which surface when relationships sour.

💡
Three common GDPR mistakes SMBs make with employee data

- Leaning on employee consent as the lawful basis, when the power imbalance makes that consent shaky.
- Not knowing where employee data lives, so sick notes and reviews circulate across channels.
Having no Subject Access Request process until the first one arrives mid-dispute.

Protect Employee Data With HR Software

GDPR for employee data can hit you head-on and catch you off guard. The risk is real the moment you aren't ready to treat it as one: every shared note, every medical form sent over Slack, every new hire you onboard.

The steps are manageable, because they rest on the common sense of data protection. Know where the data lives, control who has access, set retention schedules, and be ready to respond when someone asks. A solid audit trail helps with all of it.

One way to manage your employees' data under GDPR is with HR software. TalentHR includes document management and compliance tools, role-based access, and built-in documentation for growing teams.

Try TalentHR and start protecting your employee data today. Sign up for free.

Frequently Asked Questions for Employee Data GDPR

Does GDPR apply if my company sits outside the EU but has EU employees?

Yes. GDPR covers the processing of EU residents' data regardless of where the company sits. If you're in the United States and an employee starts in France, GDPR already applies to you.

Do I need a Data Protection Officer?

Companies under 250 employees rarely have to appoint a DPO, unless their core activities involve large-scale processing of special category data, like biometrics. Most SMBs don't need one, but naming someone responsible for data protection, who can keep refining the response, is good practice.

What happens if an employee files a GDPR complaint?

The supervisory authority investigates. Penalties for SMBs sit well below the headline fines, but the reputational damage lands even without a fine, and it can cost a lot of time.

TalentHRDon’t let key info live in someone’s head.

Recommended for you

Get the lightweight, no frills all thrills
HRIS of your dreams

No credit card needed, downgrade or cancel anytime