The data contained in most HR systems covers a lot of ground. There are many dimensions of data kept on employees from personal data to employee data to payroll. Regulations differ on how long each dimensions must be kept. For example, FMLA requires data is kept 3 years, but OSHA requires 5 years. And even within regulation different dimension can differ. For example, ADA requires 3 years for name, but only 1 year for address or pay rate.
Different dimension are removed at different time frames so what is not apparent to most people is that “removing someone’s data” is not a whole sale delete all data about that person. Some data maybe removed, but other data could be retained as the company sees fit.
If someone asks to be forgotten you only need to remove the personal identifying information, but you might have to keep payroll or benefits.
And the regulations make you divide up that data along those lines. In other words there are regulations and rules that apply to time data, others that apply to payroll data, and others that apply to personal data. But, that is not all.
Depending on the industry you operate in other regulations might apply to your company, but not all companies. For example, companies that have to comply with OSHA regulations have to keep data up to 30 years because you cannot predict future litigation on an issue like asbestos claims where people are injured later in life after being exposed to or handling dangerous chemicals. This also applies to sports teams because of things like CTE.
In the chart below you can see the different human resources data on the rows, and across the top the retention in years for each regulation. On the far right you see the compiled statistics of the minimum period across all regulations, the maximum period, and the recommended retention period. Worker’s compensation regulation dominates most other regulations with 10 years across most dimensions.