The General Data Protection Regulation (GDPR), implemented in 2018, significantly altered how organisations handle personal data. For employers, understanding the key principles of GDPR is crucial, especially when it comes to managing and retaining employee data.
One of the most frequently asked questions from employers is ‘how long can I keep employee data under GDPR?’. Well, in this blog we explore in this in more detail along with providing you with some best practices when it comes to data retention.
Understanding GDPR and its implications for employee data
GDPR places an obligation on employers that personal data should be kept no longer than is necessary for the purposes for which it is processed. This principle, which is known as data minimisation, requires employers to regularly review the personal data they hold and erase or anonymise it when it’s no longer needed. Under GDPR regulations, you must have a legal basis for processing and retaining personal data which will include consent, contract necessity, compliance with a legal obligation, and other legitimate business interests.
Throughout the course of the employee lifecycle, employers will collect an array of data about their employees, and how long that data should be retained for will depend on a number of factors. There isn’t a single approach to retention periods, in fact GDPR does not actually specify any set retention periods for employee data. It’s therefore important for employers to understand what data they hold and how long it can be retained for. Let’s look at some common forms of employee data:
- Employment contracts and records – generally, employment contracts and related documents should be retained for six years after the end of employment. This period aligns with the UK’s statutory limitation period for contractual claims, which provides a sound legal basis for retention.
- Payroll and tax records – payroll records must be kept for at least three years, as required by HMRC. Additionally, certain tax documents might need to be kept for up to seven years to comply with various tax laws.
- Health and safety records – records related to health and safety, including accident reports and risk assessments, should be retained for at least three years. For employees exposed to hazardous substances, records should be kept for up to 40 years.
- Recruitment data – personal data collected during recruitment, such as CVs and interview notes, should be kept for a reasonable period—typically six months to a year. This allows you to effectively manage any claims of discrimination or unfair recruitment practices which may be brought against your business.
- Disciplinary and grievance records – these records should be kept for six years after the resolution of the issue. This period ensures that you have documentation available should any legal challenges arise.
- Employee benefits records – pensions and other long-term benefits records should be kept for a significant period, guidance suggests up to 12 years, due to the nature of the benefits and potential claims long after employment has ended.
Good practice for data retention
To comply with GDPR and manage employee data, it’s recommended that employers put in place effective measures as follows:
- Data Retention Policy – develop a clear data retention policy that outlines how long different types of employee data will be retained for and the rationale for these timescales. For policies to be effective, everyone needs to understand them and therefore the data retention policy should be communicated to all employees and regularly reviewed.
- Regular audits – it’s important to carry out regular audits of your employee data to ensure compliance with your data retention policy. Establish an audit timetable and make sure that staff involved in the process have key dates in their diaries. When it comes to the audit itself, you should identify and securely delete or anonymise data that is no longer necessary.
- Automated data management – data which is held in hard copy format can be time consuming and expensive to manage. Employers should therefore consider using HR software with automated data management features to streamline the process of data retention and deletion. Automated reminders and actions can help ensure compliance and reduce the risk of human error.
- Data minimisation – by only collecting the data you need for specific purposes in the first place, you will minimise the data you need to retain and ultimately delete. This principle not only helps with GDPR compliance, but also reduces the risk of data breaches.
- Secure disposal – ensure that data is securely disposed of once it is no longer needed. This includes both digital and physical records. Use shredding services for paper documents and data wiping tools for electronic records.
- Training – ensuring that staff understand their roles and responsibilities and the general principles of GDPR and data retention is critical to managing it effectively. In person or online training can be used and it’s good practice to include this as part of your new starter induction process and to run regular refreshers for all staff.
Consequences of non-compliance
Failure to comply with GDPR can result in significant penalties. The Information Commissioner’s Office (ICO) can impose fines of up to €20 million, or 4% of the company’s annual global turnover, whichever is higher. Beyond financial penalties, non-compliance can damage your organisation’s reputation and erode trust with employees and clients.
As an employer, navigating GDPR can be daunting, however, the Information Commissioner’s Office is a fantastic resource and offers a wealth of information for employers.
Looking for secure HR software?
HRX stores employee data securely thanks to our robust security system and this in turn helps you as a business to meet your GDPR obligations so that you can rest easy. If you’d like to learn more about our HR software, get in touch with our experts today. Alternatively, you can try it out for yourself by signing up for your FREE 30 day trial today.