By Gert Beecksman, Chief Security & Risk Officer, SD Worx
On 25th May 2018, General Data Regulation Protection (GDPR) laws will come into effect, with the objective to refine the data privacy rights of all EU citizens. Naturally, this is triggering a massive restructuring in the way companies organise their data. New storage regulations state that employers should not retain personal employee data for longer than is necessary, and while the idea of simply discarding unnecessary employee data is simple enough, this process has the potential to be far more complex in practice.
To provide more context, GDPR will add new requirements that will make the storage limitation principle considerably stricter and will make it illegal to excessively process and store data. GDPR will also demand that HR managers are extremely careful with exactly what they ask from their colleagues, as specific time limits will be set for both the processing and reviewing of data.
The amount of time that data is allowed to be retained by employers will consequently become much clearer with the time limit logged in a registry. If a HR department fails to comply with this, then they’re left exposed to the risk of sanction. Furthermore, if employees feel that their HR department is holding personal data for an excessive duration, co-workers have the right to request erasure.
But while GDPR’s new retention policies may initially evoke daunting prospects for HR managers, the solutions are in fact simple, helping to drive long-term benefits such as increased productivity for companies. First and foremost, HR managers need to identify the exact challenges they’ll encounter, and how different forms of data will be affected.
Identifying and tackling challenges
There is currently very limited guidance as to how to manage sensitive employee documents and information. This means that the idea of a strict minimum period for certain documents—that don’t necessarily fit into a set category—can be subjective and open to interpretation.
To combat this, HR managers should research and document the specific legal requirements and ask the following questions: Is there a legal obligation to keep a document, and for how long? Do I need this information to make future business decisions for the company?
To overcome these challenges, organisations can set up an internal company HR retention period. All documents pertaining to employees should be re-archived here in clearly defined categories according to the dates when the company is required to expose of them. Employees should also be made aware of this new reorganisation of files via the company intranet. On top of this, there should be a periodical review of all your archived documents to delete all data that is no longer needed.
Know which data is useless
Some data that the HR team may think it useless may, in fact, be important to retain, and vice versa. For example, an individual who was unsuccessful in the application process may ask for their data to be deleted. In this case, the employer should not keep the documents for unsuccessful applicants beyond the statutory period in which a claim arising from the recruitment may be brought. However, under GDPR, employers can keep a limited record for a longer period than data retention authorities advise, providing that (a) the HR department has a valid reason, such as a talent pool, and (b) as long as the applicant consents.
Another request may concern ‘the right to be forgotten’ from a former member of staff. Ex-employees do have the right to submit requests to be forgotten, but an employer can still refuse to erase their data if the information will be necessary for the defence of legal claims that the ex-employee may later file against the business.
If data was collected to comply with legal obligations, or for the exercise of official authority, it cannot be erased. Additionally, if an employee is dismissed for performance reasons, then there is always the risk that they will challenge the company. The best advice in this case is to keep the contract for as long as statutory limitation periods are applicable under criminal law.
In preparation for GDPR, HR teams will need to develop internal policies of retaining or discarding employee, or ex-employee, data. If HR managers create policies that take all possible employee concerns into account, and even offer their employees a stronger role in company policy-making, they will create the most flexible intranet and avoid both legal action and GDPR infringement.