A third of HR teams not deleting expired personal data

A third of HR teams have admitted breaching the General Data Protection Regulation (GDPR) by failing to delete personal data about job candidates and employees who have left their organisation after data retention periods expire.

Six months after the GDPR took effect, many HR teams could be exposing their organisations to potentially huge fines by not fully complying with the regulation, a survey by software provider CIPHR has found.

Despite 83% setting retention periods for data related to employees, leavers and job candidates, only 69% had actually deleted their personal information when the periods had expired.

Yet, 87% of the 137 HR professionals surveyed said they were somewhat or very confident that their HR processes are fully compliant with the GDPR.

“We’re entering a period now where HR professionals need to focus on enforcing the policies they’ve put in place,” said CIPHR’s head of people and data protection officer Claire Williams.

“While the majority of organisations have done the necessary work to write policies, create new procedures and train staff, there remains a question over whether data-protection principles have actually been built into the design of the organisation, to ensure they are being adhered to consistently. It is proof of an intrinsic culture of data protection that the Information Commissioner’s Office (ICO) would be looking for during an inspection.”

Ninety-three per cent had updated policies and 86% had introduced employee training, which CIPHR said was at odds with the relatively low proportion of organisations that were deleting data when they needed to.

Most HR professionals felt their teams were prepared before the regulation came into force on 25 May 2018. Fifty-two per cent felt somewhat prepared, 30% felt very prepared and only 14% felt somewhat unprepared or very unprepared.

Employees unable to access their own data

Only 31% of HR professionals had followed the ICO’s key recommendation for GDPR compliance: enabling self-service access to employees’ personal data. This failure also extended to self-service access for job applicants (7%) and former staff (4%).

Williams said: “I’m really surprised that employers aren’t actively using self-service – which is such a common, widely used tool – to assist them in adhering to the GDPR principles, especially in relation to ensuring individuals’ rights, such as the right to access and the right to rectification.

“The GDPR sets out very clear rights for individuals in relation to how they access, rectify and erase data, and enabling self-service is an easy way to comply with those requirements. Not to mention all the other benefits associated with self-service HR for staff – such as improved data accuracy, absence management, better communication and, ultimately, higher employee engagement.”

Lucy Gordon, senior solicitor at ESP Law, warned employers not to become complacent with areas such as employee training now that the regulation is in place.

“I would encourage businesses to update and modify their processes as time goes on in line with the current guidance,” she said. “It’s also prudent to keep training employees about their obligations so that bad habits don’t develop and to audit processes regularly to ensure that they remain compliant.”

Only 79% of HR professionals were confident that their wider organisation’s processes were fully GDPR compliant.

Fifty-one per cent said they were relying on less formal reminders, such as paper notes or calendar reminders, to delete personal data, rather than automated processes built in to their HR or recruitment systems.

Gordon said such ad-hoc reminders are prone to human error and delay, “There is a surprisingly high number of respondents who have not deleted records where retention periods have expired and this suggests that these methods need revising to ensure that the appropriate action is taken.

“Consolidating your HR systems and data retention strategy removes the risk of human error and reliance on individuals responding to reminders.”

2 Responses to A third of HR teams not deleting expired personal data

  1. Avatar
    Darren Newman 12 Dec 2018 at 6:41 pm #

    Personally I’m surprised that as many as two thirds of respondents were deleting their data. The chances of anyone actually being fined for this sort of thing are vanishingly small. If anybody actually cared enough to enquire as to whether their data had been properly deleted, the employer would be prompted to do something about it and there would be no need for any further action. It is important to have a sense of proportion about GDPR – ask how much harm is being done and how much someone is likely to be bothered by the fact that data is being retained. There is no need to create an administrative mountain out of a regulatory molehill.

  2. Avatar
    Thomas 15 Feb 2019 at 8:39 am #

    I am in agreement with Darren I am sure there are many many companies with roof spaces full of HR records that have expired and not secured. Also many hard drives from old computers that have not been destroyed that would have on them sensitive personal data from previous employees that have long left. Thanks for the article, Ashleigh.

Leave a Reply