Businesses still unsure of their data obligations

Businesses in the UK are in breach of the requirements of the General Data Protection Regulation (GDPR) by failing to delete personal data about employees, leavers and candidates after data-retention periods expire, according to a new survey.

While many businesses have done necessary work to create policies and procedures and train staff, there is still a question over whether data-protection principles have actually been built into every day working, and if there are checks and balances being undertaken to ensure they are being adhered to consistently.

Managers must be actively considering the lawful bases for the ongoing processing of data and take appropriate action if that purpose is no longer relevant. This means regularly “clearing” out data and ensuring that if data is being held, it is done so correctly and lawfully.