Updated guidance for Employers

As employers are only too aware, the General Data Protection Regulation (GDPR) came into effect on 25 May 2018 and, this month, Simply-Docs has continued the process of reviewing and updating its documents to ensure that they are GDPR-compliant.

One of the key features of the GDPR, is the requirement for employers to be transparent about their data retention policies and procedures. As the penalties for non-compliance with GDPR are much greater than was the case under the Data Protection Act, it would be helpful for employers to familiarise themselves with the newly updated Guidance note on the Management of Employee Data.

Under GDPR, the requirements relating to the retention of personal data are very similar to those which applied under the Data Protection Act. As before, it is a key requirement that personal data should only be retained for as long as there is a clear business need for it and it should be securely destroyed (for instance, by shredding) after that period has passed. In addition, employers must provide employees – new and current – with a Privacy Notice, which explains when they collect personal data from them and providing information about how the data will be processed. This must include the period for which the data will be stored, or if that is not possible, the criteria used to determine the storage period.

Employers can retain personal data relating to former employees only if one of the specified legal bases for processing applies. For example, retention for a certain period may be required for tax purposes, in which case the legal basis under the GDPR would be that it is necessary for compliance with a legal obligation.

Former employees can ask an employer to delete any personal data it holds about them and, in certain circumstances, the employer must comply with requests to delete such personal data (e.g. if the data is no longer necessary in relation to the purposes for which it was collected or processed).