News Staff November 26, 2018

Third of HR teams fail to delete personal data after retention periods expire

Six months on from the GDPR, new study highlights discrepancies between data protection policies and practices among UK HR teams – despite 87% saying they are confident their processes are ‘fully compliant’ with the regulations

A third of HR teams admit to being in breach of the requirements of the General Data Protection Regulation (GDPR) by failing to delete personal data about employees, leavers and candidates after data-retention periods expire, according to a new survey by HR solutions provider CIPHR.

Although four-fifths (83%) of the 137 UK HR professionals surveyed said they have set retention periods for employee, leaver and candidate data, just 69% said they’d put these policies into practice and actually deleted data where retention periods have expired.

The apparent mismatch between the high proportion of HR teams who had updated policies (93%), introduced employee training (86%) or defined data retention periods (83%) and the relatively low proportion that are actively deleting expired data was a cause for concern, said CIPHR’s head of people and data protection officer Claire Williams.