I recently had a conversation with someone where they told me that they had to politely explain to an employee that yes, they could delete their banking details from their HR system. This would be in line with the new General Data Protection Regulation (GDPR) requirements that say that people can check all the personal identification details a company holds on them, and then request that all, or some, are deleted within 30 days. The person then went on to explain to the employee that if they were to delete the banking details, the company would have no way of paying them their salary at the end of the month.
Similarly, on leaving a role an employee can ask their previous employer to erase all of their personal information. However, this obviously prevents the ex-employer from providing them with a reference in future.
Without taking away from the importance of having control over how our personal information is collected, stored and processed, I wonder if we haven’t gone too far with the GDPR. How would an ex-employee’s right to erasure work in practice? Personnel files would be reasonably easy to find and delete, especially if they were digital. The company would need to figure out if any hard copies had been made, and where they were. Formal archives are one thing, but random copies in the back of the finance director’s filing cabinet or on USB sticks are another.
Now consider last year’s budget, or the year before, where Pete was included and identified in the detailed salary budget. Erasure would mean that the budget does not balance, so instead we would “anonymise” Pete, retaining his values, but masking his name. Think that one through for a minute in the context of staff churn ratios… Looking back a year or two to understand how the budget was made up could result in a list of “AN Others”, depriving the reviewer of the ability to analyse or understand the context and build-up of the budget.
Another thought, what happens in an audit, external or tax (potentially going back seven years), when you cannot provide details to support entries in the accounts because the person’s personal details have been deleted as sanctioned by GDPR. Will the taxman accept this as satisfaction of an audit query? I suspect not.
Furthermore, in a digital world, our personal data footprint spreads far and fast. Sure, on the one hand it’s probably easier to search than paper information, but on the other: what a tangled web our digital lives are. That former employee’s email address in a chain of emails involving other people? A company newsletter with a captioned photograph of a team-building event, including the employee? A LinkedIn post written by that employee on behalf of the company, with a lively debate in the comments? Does other data, communication and content simply get razed to comply with the GDPR? “Sorry John, I know this was a valuable conversation with a customer and it would be good to keep a record of it, but it’s got to go because it mentions Pete. And, by the way, please delete all the copies you might still have of the newsletter from four years ago and replace it with this redacted one. Yes, I know we’ve ruined the picture by blanking out Pete’s face, but it is what it is…”
How is this workable? And is this even necessary: unless you are Jason Bourne, does it matter that you appear photographed with the winning company quiz team of 2014? Yet companies of all sizes could potentially get bogged down in administration, hunting down the most ephemeral of mentions within the 30-day compliance period. In the long-term, companies may reassess their corporate communications, or the systems they use – favouring one-system-to-rule them all to make searching for data easier, rather than best-of-breed systems that allow their people to do their best work. Or do companies start asking employees to opt out of their right to erasure to cover themselves for that one-time Pete is mentioned in the company newsletter? And would that even be legal?
One needs to ask when does personal data become company data? History can’t be changed, Pete was a part of the company, Pete’s salary was a part of the budget last year. The blog and the company newsletter represent the history of the company. Both the budget, the blog and newsletter are company property and reflect, in different ways, the company’s history. Does GDPR extend to changing or re-writing that history?
Some of the examples may seem a bit tongue in cheek but if one applies the letter of the law in it’s most draconian interpretation…. It is early days yet: the GDPR has only been in place for a month and no doubt some of these details will get ironed out as we go. But with the US, Australia and India already indicating they will follow the European Union’s lead, there is no doubt this may rapidly become the global standard. And the number of GDPR notifications I am seeing from South African companies today is an indication of how borderless the digital world is. I hope we haven’t just hamstrung our ability to operate in an increasingly digital, data-driven world, by bogging it down in bureaucracy.
As published in AccountingWeb 26th June 2018