Skip to content

How Long to Keep Ex-Employee Records Under GDPR?

Table of Contents

In Short

  • Assess Data Sensitivity: Determine the nature of ex-employee data; sensitive information like health details may require stricter retention policies.
  • Purpose-Driven Retention: Keep records only as long as necessary for their original purpose, considering legal and business needs.
  • Regular Policy Reviews: Regularly review and update data retention policies to ensure compliance with GDPR and other relevant laws.

Tips for Businesses

Develop a clear data retention policy specifying how long different types of ex-employee records are kept. Regularly audit and update this policy to align with current legal requirements and business needs. Ensure secure disposal of records once they are no longer needed.

If you own a UK company that handles personal data, knowing about the General Data Protection Regulation (GDPR) is essential. This provides a legal framework for protecting personal data and applies to all UK organisations that handle the personal data of individuals and employees. This article will consider how long your UK company should keep ex-employee records under the GDPR, so it avoids a formal investigation from the Information Commissioner’s Office (ICO) and a potential fine of up to £17.5m.

What Are ‘Ex-Employee Records’?

Ex-employee records include any personal data your company has collected about former employees during their employment.  This could include information such as their:

  • name;
  • home address;
  • date of birth;
  • national insurance number;
  • bank details; and 
  • employment history.

Under the GDPR, you must collect and process personal information lawfully, fairly, and transparently.  Additionally, you must only collect it for specific and legitimate purposes. It must be relevant and limited to what is necessary for those purposes.

The GDPR also requires that you ensure all personal information is accurate, kept up-to-date and not kept longer than necessary.

How Long Should My Company Keep Ex-Employee Information?

Regarding ex-employee data, the GDPR sets out specific guidelines that companies must follow.  These recommended statutory retention periods (often three or six years) are designed to protect former employees’ privacy and ensure that their personal data is kept only for as long as necessary.

According to the GDPR, businesses should only keep ex-employees’ HR records for as long as necessary for the purpose for which they collected them.  The GDPR does not specify a set time limit for retaining ex-employee files.  Instead, companies must determine the appropriate retention period based on various facts.

Let us explore these factors below.

Nature of the Data

One of the factors your business should consider when determining the appropriate retention period for ex-employee records is the nature of the data. Some types of personal data are more sensitive than others and require greater protection.  For example, information about an ex-employees’ health or race would be considered sensitive personal data and would require stricter retention policies.

Reason for Data Collection

Another factor your company should consider is why it collected the data at the time of collection. If it collected the data for a specific purpose, such as payroll or tax purposes, it should only be retained for as long as necessary to fulfil that purpose.  The retention period might be longer if your business collected the data for a more general purpose, such as employment history.

Legal Requirements

Your company should also consider any legal requirements or industry standards to apply to it. Certain industries have specific regulations that dictate the retention period for certain types of personal data. Your business should ensure its retention policies comply with applicable laws or regulations.

It is also worth noting that non-compliance with the GDPR and the Data Protection Act 2018 can lead to significant financial penalties from the ICO and reputational damage.  To avoid these penalties, your company should have appropriate policies and procedures for retaining and deleting ex-employees’ records. These policies should be regularly reviewed and updated..

Risk Assessment

Additionally, your business should consider the potential legal risks of retaining ex-employees’ records. If the data is no longer necessary for the purpose it was collected, then keeping it could risk the staff member’s privacy.  This may constitute a GDPR violation in the ICO’s eyes. In turn, you may face a financial penalty (of up to £17.5m).

Generally, your company should not retain ex-employees’ records longer than necessary.  Once the retention period has expired, you should securely and permanently delete the data.  This ensures that the privacy of former staff members is protected and your company complies with GDPR rules.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Key Takeaways

In conclusion, UK companies should only retain ex-employees’ records for as long as necessary and after considering various factors when determining the appropriate retention period.  The nature of the data, reason for collection and legal aspects should all be considered. Your business should also ensure it has appropriate policies and procedures for retaining and deleting ex-employees’ records to avoid penalties and reputational damage.  By following these guidelines, your company can protect the privacy of former staff members and ensure compliance with the GDPR and Data Protection Act 2018.

If you need help complying with data protection laws regarding former employee data, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents.  Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Why can the ICO issue of up to £17.5m against my company?

The ICO believes the leading way to motivate UK businesses is to threaten hefty financial penalties for GDPR non-compliance.  In this way, they have provided various multi-million-pound fines against UK organisations, which has caused many companies to comply with GDPR rules.

Why has the GDPR survived Brexit?

The UK Government has confirmed that it has no plans to repeal the GDPR, as it wishes the UK to lead the world in data protection law, regardless of no longer being part of the EU.

Register for our free webinars

Preparing Your Business For Success in 2025

Online
Ensure your business gets off to a successful start in 2025. Register for our free webinar.
Register Now

2025 Employment Law Changes: What Businesses Should Know

Online
Ensure your business stays ahead of 2025 employment law changes. Register for our free webinar today.
Register Now

Buying a Tech or Online Business: What You Should Know

Online
Learn how to get the best deal when buying a tech or online business. Register for our free webinar.
Register Now

How the New Digital and Consumer Laws Impact Your Business

Online
Understand how the new digital and consumer laws affect your business. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards