With only a month until the General Data Protection Regulation (GDPR) comes into force (on 25 May,) it’s
a great THE time for all employers to make sense of their data obligations and get a handle on the personal data records they’re keeping.
GDPR obliges data controllers – that’s all employers – (because all employers handle employees’ personal data), to clearly set out, a sensible time frame to hold on to different kinds of data. As an employer you must be clear about why you need each piece of information and how long you should hold on to it. Once you’re clear on this, communicate it to the people whose data it concerns.
Just in case you aren’t sure, employee data refers to pay or absence records, hours worked, parental leave, personal details etc.
Up in the Cloud
Employers are required by law to keep their staff’s personal data secure – at the very least a filing cabinet should be locked, but if you’re going to do a proper job if it (which you should), store the data in the cloud with all the safety features you can muster/afford. Better yet hand this job over to a company who are brilliant at storing data. You wouldn’t draw up plans for your own house, or represent yourself in court, so why try and manage data security yourself? There are businesses who will gladly help you stay GDPR compliant in this matter, and your whole headache will ease.
What is data retention?
The amount of time you keep data for is referred to as “data retention”, and you should have a “data retention policy” so everyone’s on the same page. Your policy should take into account the amount of time that you might actually need each type of data/ record for. And when that time’s up, all records (including any duplicates) need to be deleted.
Another win for some HR software, which can automatically delete your records, so you won’t be left scratching your head trying to recall how many copies you have and whereabouts they’re lurking.
It (almost) goes without saying that you will hold an employee’s personal data whilst they’re working for you. Beyond that, here are some examples of different data types and how long you might keep them after the employee leaves. The time frames here are based on a combination of industry norms for your business, and legal requirements but are not set in stone. (If you aren’t sure what industry norms or legal requirements are, drop us a line >> firstname.lastname@example.org).
Types of data
Employment contracts and documents
We recommend 6 years after the employee has left your company (following current ICO guidance), as there is a possibility that any documents relating to an employee could be relevant to a Tribunal, County Court or High Court claim.
Pay and benefits records
The statutory retention period under the Taxes Management Act 1970, is 6 years after the last day of the last complete tax year during which they worked.
Recruitment data and documents
When hiring, you’ll collect personal data such as CVs. Unsuccessful applicants have 3 months to bring a discrimination claim against your business. In the (unlikely) event of this happening, data such as interview notes would be necessary to defend your business So, don’t bin them directly after interviews.
It can be useful to keep CVs for future roles as well. By adding a line such as ” your CV will be kept on file for… however many…months after application” into the privacy notice on your application forms, you will gain sufficient consent to retain the CV for whatever time you deem fair. Just remember to delete it when its time’s up!
Data and the GDPR
Under GDPR, if you hold more data than you reasonably need, or for an excessive time, you could end up in a pickle and slapped with a hefty fine (the maximum fine is €20,000,000 or 4% of annual global turnover). Whilst this sounds a scary prospect, the general gist of advice from the ICO (Information Commissioner’s office) is reassuring, after all, this is new to everyone, mistakes will be made, we’re only human after all. For those that are trying their best to be compliant a little slip up will not mean certain bankruptcy (*phew*).Do your best, try and get it right, be able to show that you’re trying to get it right, and if you need a helping hand that’s why we’re here.
It’s also worth noting that GDPR introduces the “right to be forgotten” which gives individuals the right to ask that you to delete information you hold about them (though that right doesn’t mean you need to delete information you are required by law to store, e.g for payroll reasons). Another reason to make sure you know where you are holding data and are easily able to delete it.
Click here for a free trial of our software >>
If your business requires more than just HR software: advice, policies, documents etc give us a call on 0333 014 3888 or email us email@example.com and our friendly team will be happy to help find the right solution for your business.