How long should I keep staff records for under GDPR?

You won’t need to store all staff records forever. But how long should you keep them to comply with GDPR?

First published on Thursday, August 13, 2020

Last updated on Thursday, August 13, 2020

4 min read

As the General Data Protection Regulation (GDPR) deadline draws closer, you could have a few last-minute questions about the new law.

You might be wondering how long you need to keep staff records for. The answer to this will depend on whose data you’re keeping and how long you’ve stored it for already.

Find out how long you should keep records for current staff, former staff and job applicants. 

Current staff

GDPR doesn’t set out any minimum or maximum time limits for keeping staff data. But it does state that you shouldn’t keep personal data for longer than you need to.

The length of time you’ll keep data for will depend on the reason why you collected it. For example, if you collect an employee’s contact number to use in case of emergency, it’s not necessary to keep this once the employee leaves.

You must decide how long it’s necessary to hold data for. That said, there are legal requirements for you to follow.

Here are a few:

  • Working time records: Keep for2 years from the date the records refer to.
  • Payroll records: Keep for 3 years from the end of the tax year that they relate to.
  • Maternity, Paternity or Shared Parental Pay records: Keep for 3 years after the end of the tax year that the payment stopped.

Former staff

After an employee leaves, you shouldn’t bin their records right away. You might need them to defend yourself against a tribunal or court claim.

Generally, an employee can make a claim to an employment tribunal within three months of their employment ending. But depending on the claim, the limit can be six months or longer.

If an employee claims that you’ve breached their contract, they might take you to the civil courts. They can do this within six years of the alleged breach.

As a result, you should keep personal data, performance appraisals and employment contracts for six years after an employee leaves.

Don’t forget, a former employee—or anyone you hold data on—might issue you with a Subject Access Request (SAR) to see what data you have on them.

To put together your own SAR policy, use a free template from our download centre.

Job applicants

You collect a lot of information from job applicants including CVs, cover letters and interview notes.

You should hold onto this data for 6 months even if the applicant was unsuccessful, as they could log a discrimination claim against you within this time.

Want to keep CVs on file for the future? To be GDPR compliant, you’ll need to get consent from applicants and make sure their information is up-to-date.

To follow our 12 steps for GDPR compliance, head to our GDPR info centre.

Manage staff records easily with BrightHR

You probably don’t want dusty filing cabinets cluttering your workplace. And you won’t need any with BrightHR.

BrightHR has unlimited HR document storage space, so you can keep all your staff files in one place—for as long as you like.

That’s not all. Your staff can access their own personal information and update it.

And if they ask you to delete some of their data, you can reassure them that it’ll be permanent. This is because BrightHR will ‘hard delete’ it.

Request a free demo today to see just how easy BrightHR makes managing your staff records.

Software to help you stay onside with GDPR


Share this article