How to manage the retention of employee data under the General Data Protection Regulation (GDPR)
Click on any of the hyperlinks to go to more detailed guidance below.
- Be aware that the GDPR requires employers to be transparent about their data retention policies and procedures.
- Understand the importance of identifying the legal basis for retaining each category of personal data.
- Be aware of additional requirements relating to the retention of special categories of data and criminal records data.
- Put in place a specific policy on the retention periods for particular types of HR personal data, based on the purpose for holding the data and the needs of the business.
- In general, destroy records relating to recruitment six months after completion of the recruitment exercise.
- Retain the details of unsuccessful job applicants only if you have a legal basis for doing so and you have notified them of this in a privacy notice.
- Ensure that your disciplinary procedure does not give the impression that data relating to disciplinary proceedings will be destroyed when the relevant warning expires.
- Set a retention period of at least eight months after the end of an individual's employment for personal data that may be needed to defend a tribunal claim.
- Keep information relating to the payment of salary, bonuses and commission for six years following the end of employment.
- Keep information relating to health and safety matters for at least three years following the end of employment, and assess whether or not the possibility of latent claims means that the records need to be kept for longer.
- Remember that there are legal obligations on employers to keep certain records for specific periods of time.