Under the General Data Protection Regulation (GDPR), storage limitation is one of the most important principles that all organisations need to get to grips with. This states that personal data should be kept for “no longer than is necessary” for the purposes for which it was created or obtained. For employee data, special care should be taken when you put this storage limitation principle into practice.
For one thing, when it comes to areas such as payroll, copy health information and disciplinary records, this data tends to be sensitive in nature and, therefore, needs particular care to ensure that the rights and interests of individuals are protected.
At the same time, it is rarely appropriate to have a ‘one size fits all’ storage limitation rule covering the entire contents of an employee file. What to keep, how to store it, and for how long, depends on multiple factors, ranging from specific HMRC requirements through to protecting your business against any legal claims brought by previous employees.
This guide explains how to put together a retention policy for your employee records, helping you to protect your business, respect the rights of your employees and stay compliant with the GDPR.
Employee records: why you need a GDPR-compliant retention policy
For all types of personal data you process, your business should have a set of internal rules setting out how long data should be stored, depending on the category the data belongs to. Taken together, these rules form your personal data retention policy.
Storage limitation is one of the fundamental GDPR principles; one of the “golden rules” you need to take into account when processing the personal information of individuals, including your employees. You can read more about implementing all seven GDPR principles here.
The GDPR also includes further, more detailed requirements where the principle of storage limitation becomes directly applicable. These include the following:
Privacy by default
This becomes especially relevant when making changes to your existing processes or introducing technologies (a new online HR management portal, for instance). You need to show that you have taken measures to ensure that only data “necessary for each specific purpose of the processing” is processed. This includes keeping storage periods to a minimum.