Employee surveys and GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. Its primary aim is to give individuals in the EU control over their personal data.

In the UK, it is important to comply with the Data Protection Act 2018 (DPA) and the provisions of the EU GDPR that have been incorporated directly into UK law.

In practice, this means there is little change to the core data protection principles, rights and obligations found in the UK GDPR. The EU GDPR may still apply if you operate in Europe or transfer personal data to the UK from the EU.

While compliance is essential, it is still possible to responsibly engage with or survey your workforce. Here are two things to keep in mind.



Through GDPR, individuals have the right to be informed about how their data is collected, used and stored, as well as empowering them to request access to or withdraw personal information that may be held about them. You should share with your team why you are conducting a survey, the data you are collecting and what it will be used for.

If you want to separate out individuals and groups based on demographics, they must have a legitimate use – helping to show trends or highlighting key issues relating to business operation or management. This might apply to gender, age or length of service for example.

If the information being asked for is not already on file as part of your HR system, its storage and use should be re-evaluated for its need-based legitimacy, and it might be necessary to inform employees about its use.



Many companies use specialist consultancies like Holistic Insight to manage their employee engagement surveys. There are many advantages including more open and honest feedback via an independent third party. From a GDPR perspective, data about employees is being shared so both the employer and consultant need to be responsible for the safety and security of this information.

Those controlling or processing personal data will need to put measures in place to meet data protection principles. Data controllers must design information systems with privacy in mind, safeguarding their security and ensuring they can’t be used to identify a subject.