GDPR Identity Requirements: What Every Organisation Needs to Know

The UK GDPR places specific obligations on how organisations handle identity data. From employee records to customer accounts, identity data is personal data—and the regulations are strict. This guide covers what you need to know.

Understanding GDPR and identity data

The UK GDPR (retained from the EU GDPR after Brexit) defines personal data as any information relating to an identified or identifiable natural person. Identity data is a subset that includes:

• Names and contact details
• Identification numbers (employee IDs, customer IDs)
• Location data
• Online identifiers (email addresses, usernames)
• Physical, physiological, genetic, mental, economic, cultural, or social identity factors

For most organisations, identity data is everywhere: HR systems, CRM platforms, authentication systems, email archives, and more.

Core GDPR principles affecting identity

The GDPR is built on seven principles that directly impact identity data handling:

1. Lawfulness, fairness, and transparency

You must have a lawful basis for processing identity data. For employee identity data, legitimate interest or contractual necessity often applies. For customer data, consent or contract performance is common.

What this means for identity:

• Document your lawful basis for each identity data processing activity
• Be transparent about what identity data you collect and why
• Provide privacy notices at point of data collection

2. Purpose limitation

Identity data must be collected for specified, explicit, and legitimate purposes. You can't collect identity data "just in case."

What this means for identity:

• Define clear purposes for each identity data collection
• Don't use identity data for purposes beyond original collection
• Document your processing purposes in privacy policies

3. Data minimisation

Only collect identity data that is adequate, relevant, and limited to what is necessary.

What this means for identity:

• Review what identity attributes you actually need
• Remove unnecessary identity data fields
• Question whether each identity data element is essential

4. Accuracy

Identity data must be accurate and kept up to date.

What this means for identity:

• Implement processes to keep identity data current
• Allow individuals to review and correct their data
• Have processes to flag and fix inaccurate identity data

5. Storage limitation

Identity data should not be kept longer than necessary.

What this means for identity:

• Define retention periods for different identity data categories
• Implement processes to delete identity data when no longer needed
• Have procedures for identity data when employment/relationship ends

6. Integrity and confidentiality

Identity data must be processed securely.

What this means for identity:

• Implement access controls on identity data systems
• Encrypt identity data at rest and in transit
• Log and monitor access to identity data

7. Accountability

You must demonstrate compliance with all the above principles.

What this means for identity:

• Document your identity data processing activities
• Maintain records of consent and lawful basis
• Be able to show how you protect identity data

Specific identity-related obligations

Beyond the core principles, GDPR includes specific obligations relevant to identity data:

Data subject rights

Individuals have rights over their identity data:

Right of access:

• Individuals can request copies of their identity data
• You must respond within 30 days
• You must verify the requester's identity

Right to rectification:

• Individuals can request correction of inaccurate identity data
• You must act on such requests promptly

Right to erasure ("right to be forgotten"):

• In certain circumstances, individuals can request deletion of their identity data
• This applies particularly for marketing and profiling
• There are exceptions for legal obligations and legitimate interests

Right to data portability:

• Individuals can request their identity data in a machine-readable format
• This applies to data they provided, processed by automated means

How to handle requests:

• Have clear processes for handling identity data requests
• Verify the identity of requesters
• Train staff on recognising and escalating requests

Data protection by design and default

When designing identity systems, you must build in data protection:

Identity system design:

• Minimise identity data by default
• Implement appropriate access controls
• Enable encryption and pseudonymisation
• Consider data retention from the start

What this means:

• Privacy should be considered in identity system procurement
• Identity platforms should have data protection features
• Custom identity implementations need privacy review

Data protection impact assessment

When processing identity data at scale, you may need a DPIA:

When required:

• Systematic monitoring of identity data on large scale
• Processing special category identity data
• Large-scale processing of employee identity data

What it should cover:

• Description of identity data processing
• Assessment of necessity and proportionality
• Risks to individuals
• Measures to address risks

Data breaches

If identity data is compromised, you have obligations:

Detection and reporting:

• You must detect personal data breaches
• If a breach is likely to result in risk to individuals, report to ICO within 72 hours
• If high risk, also notify affected individuals

Documentation:

• Document all personal data breaches
• Include facts, effects, and remedial actions
• Keep records even if not reported to ICO

Third-party processors

If you use vendors who process identity data on your behalf:

Requirements:

• Ensure they provide adequate data protection guarantees
• Have written contracts specifying their obligations
• Maintain oversight of their processing

Identity vendor due diligence:

• Assess vendor security practices
• Review their GDPR compliance
• Document your due diligence

Practical steps for GDPR identity compliance

Conduct a data mapping exercise

1. Identify all systems containing identity data
2. Document what identity data each system contains
3. Map flows of identity data (who accesses, who shares)
4. Identify lawful basis for each processing activity

Implement access controls

1. Limit access to identity data to those who need it
2. Implement role-based access for identity systems
3. Log and monitor access to identity data
4. Regular access reviews for identity systems

Create documentation

1. Privacy notice for identity data collection
2. Records of processing activities
3. Data retention policies for identity data
4. Procedures for data subject requests

Establish processes

1. Process for handling identity data subject requests
2. Process for identity data breach detection and reporting
3. Process for new identity system procurement
4. Process for identity data retention review

Train staff

1. Awareness training on identity data protection
2. Training on handling data subject requests
3. Training on secure handling of identity data
4. Clear escalation paths for identity data issues

Common GDPR identity compliance gaps

Incomplete visibility

Many organisations don't know where all their identity data resides:

• Shadow IT containing identity data
• Personal devices with identity data
• Spreadsheets with identity data

Insufficient access controls

Common issues include:

• Overly broad access to identity data
• Lack of logging on identity systems
• No process for removing access when roles change

Poor documentation

Often missing:

• Records of processing activities
• Evidence of lawful basis
• Documentation of consent where required

Retention issues

Common problems:

• Identity data kept indefinitely
• No process for deleting data when no longer needed
• Former employee data not addressed

How to demonstrate compliance

Documentation

Maintain:

• Data mapping records
• Privacy policies and notices
• Records of processing activities
• Evidence of consent where applicable

Technical measures

Implement:

• Access controls on identity systems
• Encryption for identity data
• Logging and monitoring
• Regular security testing

Organisational measures

Establish:

• Data protection policies
• Staff training programmes
• Incident response procedures
• Regular compliance reviews

Getting help

GDPR compliance for identity data is complex. Consider:

• Data protection officer for strategic guidance
• Legal counsel for specific obligations
• Security experts for technical controls
• Identity specialists for system configuration

Looking ahead

GDPR requirements will continue to evolve:

• ICO guidance updates
• Cross-border data flow developments
• AI regulation intersection
• Enforcement trends

Stay current with regulatory developments and adjust your approach accordingly.

The key is building GDPR compliance into your identity management—not treating it as an afterthought.