A third (33%) of HR teams admit to breaching the General Data Protection Regulation (GDPR) by failing to delete personal data about employees, leavers and job candidates after data-retention periods expire, according to a survey by CIPHR.
Although 83% of HR professionals surveyed have set retention periods for employee, leaver and job candidate data, just 69% put these policies into practice and deleted the data when such periods expired.
The findings are at odds with HR professionals’ confidence in their compliance with the GDPR’s requirements, the research found. Six months on from the 25 May 2018 GDPR deadline, 87% of respondents said they were ‘very’ or ‘somewhat’ confident that their HR processes are now fully compliant with the regulations. Their confidence fell to 79% when asked about their wider organisation’s compliance with the GDPR.
The study also found that HR professionals had ignored the Information Commissioner's Office (ICO) recommendation of enabling self-service access to data. Only a third (31%) of respondents said they had enabled self-service access to personal data for employees in response to the GDPR, with that proportion falling dramatically for job applicants (7%) and former staff (4%).
CIPHR’s survey also found that just two-thirds (65%) of HR teams had requested consent from employees, leavers and applicants to hold their personal data.
The relatively low number of people deleting expired data is a cause for concern, said Claire Williams, head of people and data protection officer at CIPHR.
“We’re entering a period now where HR professionals need to focus on enforcing the policies they’ve put in place," she said. "While the majority of organisations have done the necessary work to write policies, create new procedures and train staff, there remains a question over whether data-protection principles have actually been built into the design of the organisation. It is proof of an intrinsic culture of data protection that the ICO would be looking for during an inspection.
“HR teams – and organisations more widely – must be actively considering the lawful bases for the ongoing processing of data, and take appropriate action if that purpose is no longer relevant,” she added.
Lucy Gordon, senior solicitor at ESP Law, warned organisations not to become complacent. “Much of the detail of how compliance will work in practice is yet to be confirmed,” she said. “I would encourage businesses to update and modify their processes as time goes on in line with the current guidance. It’s also prudent to keep training employees about their obligations so that bad habits don’t develop, and to audit processes regularly to ensure that they remain compliant.”
CIPHR surveyed 137 HR professionals in the UK and Ireland between 24 October and 9 November 2018.