How to Build a Mentoring Programme That Meets UK GDPR Requirements

May 5, 2026

A practical guide for UK HR and L&D leaders — covering lawful basis, privacy notices, DPIAs, data retention, DEI data, and how to choose mentoring software that keeps you on the right side of the ICO.

Every workplace mentoring programme that collects, stores, or processes personal data about employees is subject to UK GDPR and the Data Protection Act 2018. That means names, job titles, career goals, session notes, feedback scores, and any DEI data you collect for diversity reporting — all of it falls within scope.

For most organisations running informal mentoring, this is where things go wrong. Spreadsheet-managed programmes with no privacy notices, no lawful basis documentation, and no data retention policy are non-compliant from day one — and the ICO's enforcement activity has intensified significantly since 2024.

This guide gives you a clear, practical framework for building a mentoring programme that is both effective and fully GDPR-compliant — and shows you what to look for when choosing mentoring software that takes this responsibility seriously.

Important: This blog reflects UK GDPR as amended by the Data (Use and Access) Act 2025 (DUAA), most provisions of which came into force on 5 February 2026, and updated ICO guidance published 23 March 2026. It is provided for general information only and does not constitute legal advice. For matters specific to your organisation, consult a qualified data protection professional or your DPO.

Why UK GDPR Applies to Your Mentoring Programme

When an employee registers for your mentoring programme, they share personal data: their name, role, seniority, career goals, development needs, and in many cases, sensitive information about their professional challenges. When matching happens — whether manually or through software — that data is processed. When sessions are logged, when feedback is collected, when goal progress is tracked — all of it constitutes personal data processing under UK GDPR.

The Association of Business Mentors confirms that UK mentoring programmes need to comply with GDPR if they involve the processing of personal data — and that organisations must ensure they have a lawful basis for processing the personal data of participants, mentors, and mentees.

This is not a theoretical risk. The ICO's enforcement activity intensified significantly between 2024 and 2026: in October 2025, the ICO fined Capita £14 million for data security failures. For HR teams, the message is clear — data protection compliance is not optional, and "we didn't know it applied" is not a defence.

Step 1: Map Your Data Flows Before You Launch

Before your mentoring programme goes live, map every category of personal data it will process. This is the foundation of GDPR compliance and a prerequisite for every other step in this guide.

For a typical internal mentoring programme, data flows include:

Data Category	Examples	Sensitivity
Identity data	Name, email, job title, department, seniority	Standard personal data
Professional data	Career goals, skills, development needs, work experience	Standard personal data
Session data	Session notes, action items, goal progress, attendance records	Standard personal data
Feedback data	Post-session satisfaction scores, written feedback	Standard personal data
DEI data	Gender, ethnicity, disability status, age group	Special category data (Article 9)
Health data	Reasonable adjustments, accessibility needs	Special category data (Article 9)

Document this mapping in your Records of Processing Activities (ROPA) under Article 30 of UK GDPR. The ROPA must describe the purpose of processing, the categories of data, who has access, where data is stored, and how long it is retained.

Step 2: Identify the Correct Lawful Basis

You must have a lawful basis to process personal data. For internal employee mentoring programmes, there are three plausible options — and the right choice matters.

Option A: Legitimate Interests (Recommended for most programmes)

For the majority of internal workplace mentoring programmes, legitimate interests under Article 6(1)(f) is the most appropriate lawful basis. The ICO's guidance states that a legitimate interest "could exist" when using employee information for internal development purposes.

To rely on legitimate interests, you must conduct and document a three-part Legitimate Interests Assessment (LIA):

Purpose test — Is there a genuine legitimate interest? (Employee development, knowledge transfer, talent retention — yes.)
Necessity test — Is processing the data necessary to achieve that purpose? (Is there a less privacy-intrusive way to achieve the same outcome?)
Balancing test — Do the employee's interests, rights, and freedoms override your legitimate interest? (This is where you assess the sensitivity of the data, the employee's reasonable expectations, and any safeguards you have in place.)

Document your LIA before the programme launches. The Data Protection Network provides an LIA template and recommends this as best practice even where you are confident in your lawful basis.

Option B: Contract

If participation in the mentoring programme is a contractual requirement of employment — for example, an onboarding programme where all new joiners must participate — then contract under Article 6(1)(b) may apply. This is less common for voluntary mentoring programmes.

Option C: Consent — Use With Caution

Consent may seem like the obvious choice ("just ask employees to agree"), but the ICO cautions strongly against relying on consent in employment contexts. Because of the power imbalance between employer and employee, the ICO considers that employees may feel unable to refuse consent freely — making it unlikely to be valid under GDPR's requirement that consent be freely given. If an employee feels they must consent to keep their manager happy, that is not free consent.

ICO Note (March 2026): Following the Data (Use and Access) Act 2025, a new "recognised legitimate interest" lawful basis is now available under Article 6(1)(ea) for five specific pre-approved conditions. For most mentoring programmes, the standard legitimate interests basis under Article 6(1)(f) remains the appropriate route. Organisations do not need to change their lawful basis if they currently use legitimate interests for a purpose that meets a recognised legitimate interest condition.

Step 3: Assess Whether You Need a DPIA

A Data Protection Impact Assessment (DPIA) is mandatory under Article 35 of UK GDPR when processing is "likely to result in a high risk to individuals." For mentoring programmes, a DPIA is required if your programme involves any of the following:

Special category data — DEI data (ethnicity, disability, gender identity), health data, or any other Article 9 data collected as part of the programme
Automated matching algorithms used to make decisions that have a significant effect on employees — for example, algorithmically determining who gets access to senior mentors
Large-scale systematic processing of employee personal data across the organisation
Profiling of employees based on their development goals, career progression, or performance data

For a standard voluntary internal mentoring programme that collects no special category data and uses human-reviewed matching, a DPIA may not be strictly mandatory — but conducting one is good practice and demonstrates accountability to the ICO. Use the ICO's DPIA template, available on ico.org.uk.

If you are running a DEI mentoring programme — matching employees from underrepresented groups with senior sponsors, or collecting ethnicity data to measure DEI outcomes — a DPIA is mandatory. DEI data is special category data under Article 9, and you will need both a lawful basis under Article 6 and a specific condition under Article 9 (typically explicit consent or substantial public interest).

Step 4: Write a Clear Privacy Notice for Participants

Before any participant — mentor or mentee — registers for your programme, they must receive a privacy notice that explains how their data will be used. This is a transparency requirement under Articles 13 and 14 of UK GDPR and cannot be skipped.

Your mentoring programme privacy notice must include:

The identity and contact details of the data controller (your organisation) and DPO if appointed
What personal data is being collected and the purposes for which it is processed
The lawful basis for processing (e.g. legitimate interests)
Whether any special category data is being collected and the Article 9 condition relied upon
How long data will be retained (or the criteria used to determine this)
Whether data will be shared with third parties, including software providers, and the basis for sharing
Participants' rights under UK GDPR — access, erasure, rectification, restriction, portability, and the right to object
The right to lodge a complaint with the ICO (ico.org.uk)

If you use mentoring software, disclose the software provider as a data processor in your privacy notice. Include the name of the provider, the nature of the processing they carry out on your behalf, and where their servers are located.

Step 5: Sign a Data Processing Agreement With Your Software Provider

If you use any third-party platform — spreadsheet software, HR systems, or dedicated mentoring software — to process participant data, that provider becomes a data processor acting on your behalf under Article 28 of UK GDPR.

You must have a written Data Processing Agreement (DPA) in place before data is processed through the platform. The DPA must specify:

That the processor only processes data on documented instructions from your organisation
That appropriate technical and organisational security measures are in place
That the processor assists you in responding to data subject rights requests
That sub-processors are disclosed and subject to equivalent obligations
That data is deleted or returned at the end of the contract

What to look for in mentoring software: SOC 2 Type II certification, full GDPR compliance documentation including a DPA, transparent sub-processor disclosures, support for data subject rights requests, data retention configuration, and clear data residency information. If the software provider cannot provide a DPA on request, do not use them to process employee data.

Step 6: Set and Document Your Data Retention Periods

UK GDPR's storage limitation principle (Article 5(1)(e)) requires that personal data is kept no longer than is necessary for the purpose for which it was collected. For mentoring programmes, this means you must define in advance how long you will retain:

Participant registration data (names, roles, career goals)
Session notes and action items
Goal progress records
Feedback and satisfaction scores
Matching data and algorithm inputs
Any DEI data collected for diversity reporting

A commonly adopted approach for UK workplace mentoring programmes:

Data Type	Recommended Retention Period	Action at End of Period
Active programme data	Duration of programme + 12 months	Delete or anonymise
Aggregated analytics	Up to 3 years (anonymised)	Retain in anonymised form only
DEI data (special category)	Duration of programme only	Delete immediately after reporting
Feedback scores	Duration of programme + 12 months	Anonymise or delete
Session notes	Duration of programme + 6 months	Delete

Document your retention periods in your ROPA and communicate them clearly in your privacy notice. Implement an automated deletion or review process — do not rely on manual reminders.

Step 7: Enable Data Subject Rights

Every participant in your mentoring programme has rights under UK GDPR that your processes and systems must be able to support:

Right of access — participants can request a copy of all personal data held about them. You must respond within one month.
Right to rectification — participants can request correction of inaccurate data (e.g. a wrong job title in their profile).
Right to erasure — participants may request deletion of their data. This is not absolute — you may have legitimate grounds to retain some data — but any request must be considered and responded to.
Right to restriction — participants can ask you to pause processing of their data in certain circumstances.
Right to object — if you are relying on legitimate interests, participants have the right to object. You must cease processing unless you can demonstrate compelling legitimate grounds that override their interests.

If you use mentoring software, verify before purchase that the platform can support these rights — specifically that it can export, amend, or delete individual participant data on request. Mentoring software that cannot support data subject rights requests puts your organisation in breach of UK GDPR.

Step 8: Handle DEI Data With Particular Care

Many UK organisations collect diversity data as part of their mentoring programmes — to evidence that the programme is equitable, to target outreach to underrepresented groups, or to measure DEI outcomes for gender pay gap reporting or ethnicity pay gap reporting.

Diversity data — including ethnicity, gender identity, disability status, religion, and sexual orientation — is special category data under Article 9 of UK GDPR. Processing it requires:

A lawful basis under Article 6 (legitimate interests for the overall programme)
A specific condition under Article 9 — most commonly explicit consent or substantial public interest (Schedule 1, Part 2 of the Data Protection Act 2018)
An Appropriate Policy Document if relying on substantial public interest for Article 9 processing
Clear disclosure in your privacy notice that DEI data is being collected, why, and how long it will be retained

The UK Government's guidance on mentoring programmes recommends tracking employee participation by sex and ethnicity to measure DEI outcomes — but this must be done in full compliance with Article 9 requirements. Collecting DEI data without the correct Article 9 condition in place is a breach of UK GDPR.

Step 9: Choose Mentoring Software That Is GDPR-Compliant by Design

The mentoring software you choose determines whether GDPR compliance is manageable or a constant operational burden. Here is what to evaluate:

Non-negotiable requirements

Written DPA available on request — if the provider cannot or will not provide a DPA, they cannot process employee data on your behalf legally
SOC 2 Type II certification — evidences appropriate technical and organisational security measures
GDPR compliance documentation — privacy policy, sub-processor list, data residency information
Data subject rights support — ability to export, amend, or delete individual participant records
Configurable data retention — ability to set automated deletion or anonymisation schedules
UK/EU data residency or adequate safeguards — where is the data stored? If outside the UK/EU, what transfer mechanism is in place?

Strong differentiators

GDPR Representative Appointment Certificate — demonstrates the provider has formally appointed an EU/UK representative as required under GDPR
Transparent algorithmic matching — particularly important if automated matching could be considered significant automated decision-making under Article 22
Audit logs — records of who accessed what data and when, supporting accountability obligations
Consent management — if any processing relies on consent, the platform should capture and record consent in a way that is auditable

Mentorgain meets all of the above requirements. The platform is fully GDPR compliant with a GDPR Representative Appointment Certificate, SOC 2 Type II certified, and provides a Data Processing Agreement as standard. Data subject rights requests can be fulfilled directly from the admin dashboard, and data retention periods are configurable at the programme level. For UK HR teams navigating GDPR compliance, this removes the most significant operational risk from using third-party mentoring software.

‍

UK GDPR Mentoring Programme Compliance Checklist

☐ Data flow mapping completed and documented in ROPA
☐ Lawful basis identified and Legitimate Interests Assessment (LIA) conducted and documented
☐ DPIA completed (mandatory if processing special category data or using automated matching)
☐ Privacy notice drafted and provided to all participants before registration
☐ Data Processing Agreement signed with all software providers and processors
☐ Data retention periods defined, documented in ROPA, and communicated in privacy notice
☐ Automated deletion or anonymisation process configured
☐ Data subject rights process documented — access, erasure, rectification within one month
☐ DEI data handled as special category data with Article 9 condition documented
☐ Staff involved in programme administration trained on data protection obligations
☐ Software provider checked against the non-negotiable requirements above
☐ Complaints handling procedure in place (required from June 2026 under DUAA)

The Data (Use and Access) Act 2025 — What Changed for HR Teams

The Data (Use and Access) Act 2025 (DUAA), which received Royal Assent on 19 June 2025 with most provisions coming into force on 5 February 2026, introduced several changes relevant to HR teams running mentoring programmes:

Recognised Legitimate Interest: A new lawful basis under Article 6(1)(ea) introduces five pre-approved conditions for processing in the public interest. For most internal commercial mentoring programmes, the standard legitimate interests basis under Article 6(1)(f) remains the correct route. The ICO published guidance on this on 23 March 2026.

Automated Decision-Making: The DUAA relaxes restrictions on automated decision-making for non-special-category data. The default prohibition on solely automated processing without a specific exception has been lifted for standard personal data. However, appropriate safeguards must still be in place, data subjects retain the right to human intervention and to contest decisions, and controllers must provide meaningful information about algorithmic logic. For mentoring programmes using AI-assisted matching, this means being transparent about how matching works and ensuring participants can request a human review of their match.

Complaints Handling: From June 2026, organisations must have formal internal complaints procedures for data protection complaints before individuals escalate to the ICO. HR teams should ensure a clear process is in place for participants to raise data concerns about the mentoring programme.

Frequently Asked Questions

Does a workplace mentoring programme need to comply with UK GDPR?

Yes. Any mentoring programme that collects, stores, or processes personal data about employees — including names, job titles, career goals, session notes, and feedback — must comply with UK GDPR and the Data Protection Act 2018. This applies to all UK organisations regardless of size, whether they use dedicated software or a spreadsheet.

What is the correct lawful basis for processing data in a mentoring programme?

For most internal workplace mentoring programmes, legitimate interests under Article 6(1)(f) is the most appropriate lawful basis. The ICO's guidance indicates that using employee or client information for internal development purposes may constitute a legitimate interest, provided a three-part Legitimate Interests Assessment (LIA) is conducted and documented. Consent is generally not recommended due to the employer-employee power imbalance.

Do I need a DPIA for a mentoring programme?

A DPIA is mandatory if your programme collects special category data (DEI data, health data), uses automated matching to make significant decisions about employees, or involves large-scale processing of employee data. For standard voluntary internal programmes without special category data or algorithmic decision-making, a DPIA may not be strictly mandatory — but it is strongly recommended as good practice. Use the ICO's DPIA template.

How long can I keep mentoring programme data?

UK GDPR requires personal data to be kept no longer than necessary. A common approach for workplace mentoring programmes is to retain active programme data for the duration of the programme plus 12 months, DEI data for the duration of the programme only, and aggregated anonymised analytics for up to 3 years. Retention periods must be documented in your ROPA and communicated in your privacy notice.

Does mentoring software need to be GDPR compliant?

Yes. When you use mentoring software, the provider becomes a data processor acting on your behalf. You must have a Data Processing Agreement (DPA) in place under Article 28 of UK GDPR before processing begins. The software must implement appropriate security measures, support data subject rights requests, and only process data according to your instructions. Ask any software provider for their DPA and SOC 2 certification before signing a contract.

What should a privacy notice for a mentoring programme include?

Your privacy notice must include: the data controller's identity, what data is collected and why, the lawful basis, retention period, any third-party processors (including software providers), data subject rights, and how to complain to the ICO. It must be provided to participants before they register.

Can I collect diversity data in my mentoring programme for DEI reporting?

Yes, but with additional requirements. Diversity data (ethnicity, disability, gender identity) is special category data under Article 9 and requires both a lawful basis under Article 6 and a specific condition under Article 9 — typically explicit consent or substantial public interest. An Appropriate Policy Document is required if relying on substantial public interest. This must all be disclosed clearly in your privacy notice.

The Bottom Line

GDPR compliance for a mentoring programme is not as complex as it sounds — but it does require deliberate steps before you launch. Map your data, establish your lawful basis, write a clear privacy notice, sign a DPA with your software provider, and set defined retention periods. These steps take a few hours to complete properly. Skipping them creates ICO risk, erodes employee trust, and in the case of DEI data, can result in significant fines.

The organisations that run the most effective mentoring programmes in the UK are the ones that have built compliance into the programme design from the start — not retrofitted it after something goes wrong.

Choosing mentoring software that handles GDPR compliance by design — with a DPA as standard, SOC 2 certification, configurable retention, and data subject rights support built in — removes the most significant operational compliance burden from your HR team.

Mentorgain is fully GDPR compliant — with a GDPR Representative Appointment Certificate, SOC 2 Type II certification, a Data Processing Agreement provided as standard, and configurable data retention at the programme level.

Book a free 20-minute call to discuss your programme's compliance requirements | Explore the platform

‍

Sources & Further Reading

‍

Gauri Gokhale

As an HR leader, I've spearheaded initiatives to align HR strategies with organizational goals, fostering a culture of continuous improvement and innovation. I'm responsible for sourcing, screening, and selecting qualified candidates.

Take a look at our latest articles & resources

View All

Mentorgain vs Together Platform: How to Choose the Right Mentoring Software for Your Organisation

Together Platform is a well-regarded mentoring software used by global enterprises like Coca-Cola, Toyota, and the UN — starting at $10,000/year, primarily designed for North American and European organisations. Mentorgain is built keeping in mind India and APAC — with equivalent core features, AI-powered matching, 1–2 week implementation, and pricing starting at ₹3,00,000 ($3,200) per year. If you are an SME or your team is based in India or APAC, Mentorgain is the stronger, more cost-effective choice.

How to Automate Mentor Matching Instead of Manual Spreadsheet Work

Automated mentor matching software replaces manual spreadsheet workflows by pairing mentors and mentees based on skills, goals, and availability - reducing admin time by 95% and improving match quality at scale across India and APAC enterprises.

Low Participation in Corporate Mentorship Programs? How Automated Matching Tools Increase Engagement

Corporate mentorship programs often see participation collapse within weeks of launch, despite executive support and budget. This guide breaks down the three root causes — poor match quality, admin overload, and lack of structure — and shows how automated matching platforms like Mentorgain solve each one, with a comparison framework and step-by-step implementation plan for HR and L&D teams.

Be Part of the
Journey

Ready to make mentorship your organization’s growth engine? Reach out to us