Will the General Data Protection Regulation (GDPR) affect for how long employers can keep data relating to former employees?

The principles relevant to the retention of employee data under the General Data Protection Regulation (GDPR) do not differ greatly from those under the current data protection regime. Under both the GDPR and the Data Protection Act 1998, personal data must be kept for no longer than is necessary for the purposes for which it is processed.

However, the GDPR requires employers to be more transparent about their retention policies and includes additional rights for employees and greater penalties for non-compliance.

Employers must provide employees with a privacy notice when they collect personal data from them, providing information about how the data will be processed. This must include the period for which the data will be stored, or if that is not possible, the criteria used to determine the period. Therefore, employers will need to have a clear policy on the retention of personal data.

Employers can retain personal data relating to former employees only if one of the specified legal bases for processing applies. For example, retention for a certain period may be required for tax purposes, in which case the legal basis under the GDPR would be that it is necessary for compliance with a legal obligation. However, the employer could rely on this legal basis only for the retention of pay data relevant to that purpose, not for the retention of the former employee's entire personnel file. Employers must have a system in place for identifying data that should be retained, identifying the purpose and legal basis for retaining it, determining for how long it should be retained and ensuring that it is deleted after the relevant period.

Former employees can request that the employer delete personal data it holds about them. The employer must comply with the request in certain circumstances, for example if the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.

The GDPR will come into effect on 25 May 2018.