General Data Protection Regulation (GDPR) is in force in Europe from the 25th of May 2018. This is all about strengthening and unifying data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU, enforces penalties for breach and defines stronger conditions for consent. At its heart, GDPR is about protecting the rights of individuals (think employees and job candidates).
GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
How long should records be kept under the Data Protection Act and GDPR?
Hiring and applicant data
It may not seem vital to keep information from interview notes or job applications you have received once someone has filled the role.
However, there is the possibility that a rejected applicant may make a claim against you for discrimination. By law, they have six months from the date of the alleged incident in which to do so. For this reason, we recommend that you keep all data throughout this period.
Payroll data
It is less likely that you will need this information to defend a claim. Because financial details are very sensitive, we recommend destroying them without much delay. This will help you to demonstrate a strong data retention policy under GDPR.
HMRC can investigate your activities relating to PAYE and other payroll-related matters up to three years after the fact. For this reason, it’s a good idea to keep these details for this length of time and no more.
Employee records
This information includes employment contracts, details of their performance, and other records relating directly to their work with you. This data can prove very useful when defending against a claim brought by the data subject. Among other things, you may use it to:
Disprove details of their accusations Serve as evidence that you did your duty as an employer Support claims that you gave the subject the correct information and support during their employment
A claim for unfair dismissal must be made a maximum of three months after the fact. However, the data subject can take their case to the county court or crown court up to six years following the alleged act.
For this reason, it’s a good idea to keep this information for around six years.
GDPR not only applies to organizations based within the EU but it also applies to those that are tracking the personal data of staff located in the EU. For more background information on GDPR, please refer to the OrangeHRM white paper located here. How OrangeHRM helps to accomplish GDPR.
The Candidates are asked to provide consent for keeping the candidate data for future processing.
If a candidate agrees and provides consent, their records will not be removed from the vacancy when purging candidate data.