Personal Assistant (PA) employers must comply with GDPR – The General Data Protection Regulation. The GDPR came into force on 25 May 2018. The regulation replaced the Data Protection Act 1998 and we now have a new Data Protection Act 2018 (DPA) which supplements the GDPR.

What is GDPR?

The General Data Protection Regulation (GDPR) and DPA are concerned with respecting the rights of individuals when processing their personal information. This can be achieved by being open and honest with employees about the use of information about them and by following good data handling procedures. All organisations and employers that hold or process personal data must comply.

The regulation contains 7 principles:

  • Personal data should be processed fairly, lawfully and in a transparent manner.
  • Data should be obtained for specified and lawful purposes and not further processed in a manner that is incompatible with those purposes.
  • The data should be adequate, relevant and not excessive.
  • The data should be accurate and where necessary kept up to date.
  • Data should not be kept for longer than necessary.
  • Data should be kept secure. This includes keeping employees’ personal data safe, secure and up to date.
  • You must be able to demonstrate compliance with all of the above (‘accountability’).

Data an employer can keep about their employee include

  • Name
  • Address
  • Date of birth
  • Sex (special category data*)
  • Education and qualifications
  • Work experience
  • National Insurance number
  • Tax code
  • Details of any known disability (special category data*)
  • Emergency contact details
  • Employment history with the employer
  • Employment terms and conditions (e.g. pay, hours of work, holidays, benefits and absence)
  • Any accidents connected with work
  • Any training taken
  • Any disciplinary action

Personal data may also include special categories * of personal data. These are considered to be more sensitive and you may only process them in more limited circumstances.

What an employer should tell their employees

  • What records are kept and how they are used
  • The confidentiality of the records and how you will store them
  • How these records can help with their training and development at work

This can be done in the form of Privacy Notice.

Next steps

You can find further information on GDPR at the ACAS website found below.

Part of
Last Updated
06 June 2023
First Published
28 March 2022
Was this article helpful?



Please note that the information contained in this Handbook is provided for guidance purposes only. Every reasonable effort is made to make the information accurate and up to date, but no responsibility for its accuracy and correctness, or for any consequences of relying on it, is assumed by Self Directed Support Scotland or any other contributing party.

The information does not, and is not intended to, amount to legal advice. You are strongly advised to obtain specific, personal and professional advice from a lawyer about employment law matters, or an accountant/ tax specialist about taxation matters, and from HMRC and your insurers. You should not rely solely on the information in this Handbook. Support organisations listed in this Handbook can help you find appropriate sources of advice.