Autem vel eum iriure dolor in hendrerit in vulputate velit esse molestie consequat, vel illum dolore eu feugiat nulla facilisis at vero eros et dolore feugait

GDPR and Data Relating to Former Employees

The principles relevant to the retention of employee data under the General Data Protection Regulation (“GDPR”), which comes into effect on 25th May 2018, do not differ greatly from those under the current data protection regime.  

Under both the GDPR and the Data Protection Act 1998, personal data must be kept for no longer than is necessary for the purposes for which it is processed. However, the GDPR requires employers to be more transparent about their retention policies and includes additional rights for employees and greater penalties for non-compliance. 

Right of portability 

Data subjects will have the right to request that their personal data be provided to them (or a third party) in a machine readable portable format free of charge. Employers should consider how and where the personal data is held and if such data can be easily transferred in a safe, secure manner without impacting the usability of such data by the data subject. The employer will need to comply with such requests without undue delay, and in any event within one month.  

Right to be forgotten (right to erasure) 

Data subjects have the right to request for the removal or erasure of personal data, for example if it is no longer necessary, the individual objects to such processing and/or the individual withdraws consent. Not only will employers need to comply with such requests, but it will need to ensure that any third party with whom such employee data was shared, also deletes such data. 

Data subject access requests  

Under the GDPR the right of data subjects to request information about the personal data processed by employers remains largely the same. However, under the new regime employers must respond without undue delay and in any case within one month of receipt of the request. Additionally, the £10 fee for making a request will also be abolished.  

The new data subject rights may present practical issues for employers and HR teams, especially where employee data is spread across multiple or complex systems. Employers will need to update the relevant policies and procedures to reflect the new GDPR requirements. HR teams should review existing procedures in place when responding to data subject access requests to ensure the new time scales are met.  

Other considerations 

Employers must provide employees with a privacy notice when they collect personal data from them, providing information about how the data will be processed. This must include the period for which the data will be stored, or if that is not possible, the criteria used to determine the period. Therefore, employers will need to have a clear policy on the retention of personal data. 

Employers can retain personal data relating to former employees only if one of the specified legal bases for processing applies. For example, retention for a certain period may be required for tax purposes, in which case the legal basis under the GDPR would be that it is necessary for compliance with a legal obligation. However, the employer could rely on this legal basis only for the retention of pay data relevant to that purpose, not for the retention of the former employee’s entire personnel file. Employers must have a system in place for identifying data that should be retained, identifying the purpose and legal basis for retaining it, determining for how long it should be retained and ensuring that it is deleted after the relevant period. 

If GDPR is already causing you a headache and you need some clarity on what the legislation says and how that may impact on you, your business and your employees, then please get in touch with SCE Solicitors.  We have a range of templates and seminars, as well as hands on assistance, to guide you through the process.

The GDPR is a complex piece of legislation, so to get you started we have picked eight issues which businesses should start considering.  We have written a variety of articles to assist your business review and implement changes to ensure you are compliant.

If you need help and advice regarding GDPR, please do not hesitate to contact me or the employment team on 0113 350 4030 or at hello@scesolicitors.co.uk.

If you would like to be kept up to date with employment law and dispute resolution updates, please subscribe to our monthly newsletter.

SCE Solicitors is a boutique employment law practice based in Leeds which advises clients nationwide.  Please note that the information in this blog is to provide information of general interest in a summary manner and should not be construed as individual legal advice. Readers should consult with SCE Solicitors or other professional counsel before acting on the information contained here.

Richard Newstead
Latest posts by Richard Newstead (see all)
Richard Newstead

Richard qualified as a Legal Executive over 20 years ago and has significant experience in Employment law and Litigation. Richard acts for both employers and employees drafting and advising on settlement agreements, contracts of employment, consultancy agreements, directors service agreements and general workplace policies. He acts for commercial clients in the employment tribunal dealing with unfair dismissals, constructive dismissals and claims for discrimination.

%d bloggers like this: