The General Data Protection Regulation (GDPR) is creeping not so slowly towards us…May 25th 2018, is just around the corner, and with it will come pressure on the Human Resources to update its approach to handling employee data.

In particular, the GDPR introduces the concept of a “right of erasure” – a right to be forgotten. The concept currently exists under EU law, but currently only applies in very limited circumstances, when data processing may result in damage or distress.

Under the GDPR, an employee will have a right to have his/her data erased and no longer processed, where consent of processing is withdrawn, where the employee objects to such processing, or where processing is no longer necessary for the purpose for which it was gathered. That said, the employer, under certain circumstances, can refuse to comply with an employee’s request for erasure of personal data – where data processing is required by law or in connection with a legal proceeding.

There is also a time limit for employers to respond to a request for erasure of data – ‘without undue delay’, and not later than one month of receipt of the request.

To meet the GDPR’s new requirements, employers have to take stock of the employee data they process related. What categories of employee data are processed? Where does it comes from? In what context and where is it processed and maintained? Who has access to it? Are the uses and disclosures being made of that information permitted? What rights do employees have with respect to that information? You get he idea…

The answers to these questions are not always self-evident. Employee data could include current, former, or prospective employees as well as interns and volunteers. It may come from assorted places and be processed in less traditional contexts.

To better understand how an employee’s “right of erasure” will impact day-to-day HR operations, below are a few practical examples where an employee will have the right, under the GDPR, to request that his/her data be erased and no longer processed.

  • You collected data during the recruitment process, but, following the appointment, you can no longer demonstrate compelling grounds for retaining it. This might include past employment verifications, education details, credit reporting and other financial history data, government identification numbers.
  • You collected data about an employee in order to administer benefits such as health insurance, but the employee has since opted out of the benefits program.
  • You collected employee online monitoring data for work productivity purposes which is no longer needed.
  • You processed data related to employee job performance issues (g., late arrivals, absences, disputes with a coworker, etc.) a number of years ago, and the employee has not had similar issues since.
  • You collected identifying data on an employee such as an employee’s past address, phone number, email address, username, financial account information, etc., but the employee has since provided updated information.
  • Employers must be ready to comply with GDPR on 25th May. If your organisation has not started, it should begin implementing policies and procedures that inform employees of their enhanced rights to control over their personal data and ensure it can comply with those rights and train HR personnel handling employee requests.

You can find out more about GDPR here.


FREE first advice

Have you ever wanted to just ask an expert employment law solicitor if they can help you, without worrying about what it may cost to contact them?

Get in touch

We’d like to talk to you to see what we can do to help, so please either call us anytime for free on 08000 614 631, email us or use the form below.

Together we can work out what your next steps might confidence, at no cost and with no obligation.


* indicates required
McCabe and Co Solicitors will use the information you provide on this form to be in touch with you and to provide updates and marketing. Please let us know all the ways you would like to hear from us:
You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms.
We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices here.