Despite 87% of UK firms claiming to be “fully compliant” with the regulations imposed by the GDPR, a recent study by HRCIP found a third of HR departments admitting breaches by not deleting personal data when they should.
The EU General Data Protection Regulation (GDPR) came into force on 25th May 2018, bringing in strict requirements on how personal information can be handled and stored. A big focus of this legislation is ‘data minimisation’, imposing restrictions on what information can be held and for how long. The rule here is that you cannot hold an individual’s personal data for longer than necessary, and nor can you hold information beyond the purpose for which you have collected it.
As we are now almost seven months into the GDPR, the expectation is companies should have effective policies and retention periods in place, but a recent study by HRCIP suggests many companies are failing to adequately put these policies in place, particularly for employee, leaver and candidate information.
Of the 137 HR bodies surveyed, 83% claimed to have set retention periods for this data as per the GDPR guidelines, but only 69% appear to have put these into practice, with 31% not deleting personal information efficiently following the expiry of retention periods.
Another aspect of compliance with the GDPR is the ability to self-access data. In HRCIP’s study, they found only 31% of respondents enabled employees’ access to their own data, falling to 7% for job candidates and 4% for ex-staff.
This lack of compliance is surprising, particularly as allowing individuals to self-service data would assist HR teams in keeping records accurate without spending hours manually checking and deleting information.
Although naturally any change to data protection takes time to be fully implemented, the findings that 51% of HR teams are relying on calendar alerts or sticky notes to remind them to update data is shocking, and the HRCIP recommends teams ensure they have adequate systems implemented to alleviate the strain this is putting on employees when an automatic system would be more straightforward and quicker.
Strangely (or perhaps not), these findings of incompliance go against 87% of respondents saying they were confident that their HR departments were fully compliant when questioned previously.
Maybe this discrepancy shows an underlying confusion as to what exactly is required by the new legislation in terms of data retention. Under the GDPR, “personal data shall be kept for no longer than is necessary for the purposes for which it is being processed,” and storage of personal data “should be limited to a strict minimum”.
Although these instructions seem clear enough, what exactly is a “strict minimum” when dealing with employee, applicant and leaver data? Perhaps more studies need to be undertaken to establish some clearer limitations on when personal information needs to be securely disposed of to assist HR teams in becoming more compliant.
It isn’t all bad news, though. According to another HRCIP study looking into HR professionals’ top priorities for the new year, 89% of respondents said that GDPR is top of their agenda, so maybe we will be able to see further improvements in compliance over the new year.