Do you comply with your own data retention policies? Follow these 5 steps to ensure compliance!

Remember Spring 2018 and the rush to become GDPR compliant? Remember the relief when you updated your Data Protection Policy and Privacy notices?

Compliance with GDPR does not, of course, stop there and the potential penalties for breach (up to 4% of annual turnover) remain.

A recent survey by Personnel Today reported that despite 83% of HR teams setting retention periods for data related to employees, leavers and job candidates, only 69% had actually deleted their personal information when the periods had expired i.e. almost a third admitted to a data protection breach.

So, what should you do?


1. Check that you have a policy if you need one

It is a fundamental GDPR principle that you must not keep data for longer than you need it and Article 30 of GDPR provides that, where possible, organisations should keep records of the envisaged time limits for erasure of the different categories of data (i.e. have Data Retention policies or retention schedules that list the types of record or information you hold, what you use it for, and how long you intend to keep it).

Such a policy is not mandatory for all organisations, but it is best practice and helps to ensure compliance with the fundamental GDPR principles.


2. Set up a regular review of the policy

The GDPR does not set time limits for the retention of data, instead, a policy must be based on the purpose for holding the data and the needs of the business.


3. Training

Set up ongoing training for those who will handle personal data (i.e. managers as well as HR) and ensure it is part of the onboarding process.


4. Systemise the implementation

Wherever possible put in place some robust processes and systemise the implementation so that compliance isn’t dependent on someone remembering to do something.

For example,

  • is there a process to flag documents which have come to the end of their retention period?
  • Is there a process to review deletion and ensure it takes place where applicable?

If you have an HR system, use it!

Formalise reminders and automate the review and deletion process.


5. Keep Data Protection live!

GDPR cannot be left in 2018. In meetings and in policy reviews, remember to give data protection a place at the table!


It is important that you constantly review your processes to ensure that you are complying with the GDPR requirements. As GDPR evolves it is critical that you make sure your policies and practices reflect your legal obligations.

If you would like us to review your core documentation to ensure it reflects best practice and your obligations, or you would like to chat through your processes, get in touch with Ros at Employment Law in Action.