GDPR Myth Busting – If we receive a deletion request we have to delete everything about them

The Right to be forgotten (or the right to erasure) is not an absolute right and does not apply where there is a lawful reason for the continued processing.

HR records often present issues. For tax purposes, you need to keep records of people who have worked for you for 7 years, including a name, start date and termination date. But you are unlikely to have a lawful reason to keep other information such as emergency contact details, passport scans and bank details.

You should set out retention periods and securely delete unnecessary data, in hard copy and electronic formats including backups, when it is no longer required.

This also makes it easier to respond to a data subject access request, as if you don’t have the information you can’t supply it.

Find out more