Data retention became a hot topic after GDPR thrust the right to be forgotten into the world. But how do you do it and still remain compliant with other laws that require you to retain data for a minimum length of time? Well as you probably predicted it is complicated. We will go through what it means to forget someone, and what fields and specific data you can remove.

Forget Me Not

The data contained in most HR systems covers a lot of ground. There are many dimensions of data kept on employees from personal data to employee data to payroll. Regulations differ on how long each dimensions must be kept. For example, FMLA requires data is kept 3 years, but OSHA requires 5 years. And even within a regulation different dimensions can differ. For example, ADA requires 3 years for name, but only 1 year for address or pay rate.

Different dimension are removed at different time frames. So what is not apparent to most people is “removing someone’s data” is not a whole sale delete all data about that person. Some data maybe removed, but other data could be retained as the company sees fit.

Other regulations affect a company depending on the their industry. For example, OSHA regulations require companies retain data for 30 years. The reason is it can take a long time for people to show signs of injury. For example, asbestos claims showed up 20-30 years after handling hazardous chemicals. This can also applies to sports teams because of things like CTE.

The good news is that we created a chart of the different human resources data and their retention periods for various laws. Each row represents a different data set, and each column a different law. On the right are combined statistics for the row. This includes the minimum, the maximum period, and the recommended retention periods.

US HR Data retention compliance