Save content
Have you found this content useful? Use the button above to save it to your profile.

Re-writing history with the GDPR time machine

26th Jun 2018
Save content
Have you found this content useful? Use the button above to save it to your profile.

I recently had a conversation with someone where they told me that they had to politely explain to an employee that yes, they could delete their banking details from their HR system.

This would be in line with the new General Data Protection Regulation (GDPR) requirements that say that people can check all the personal identification details a company holds on them, and then request that all, or some, are deleted within 30 days. The person then went on to explain to the employee that if they were to delete the banking details, the company would have no way of paying them their salary at the end of the month.

Similarly, on leaving a role an employee can ask their previous employer to erase all of their personal information. However, this obviously prevents the ex-employer from providing them with a reference in future.

Without taking away from the importance of having control over how our personal information is collected, stored and processed, I wonder if we haven’t gone too far with the GDPR. How would an ex-employee’s right to erasure work in practice? Personnel files would be reasonably easy to find and delete, especially if they were digital. The company would need to figure out if any hard copies had been made, and where they were. Formal archives are one thing, but random copies in the back of the finance director’s filing cabinet or on USB sticks are another.

Now consider last year’s budget, or the year before, where Pete was included and identified in the detailed salary budget. Erasure would mean that the budget does not balance, so instead we would “anonymise” Pete, retaining his values, but masking his name. Think that one through for a minute in the context of staff churn ratios. Looking back a year or two to understand how the budget was made up could result in a list of “AN Others”, depriving the reviewer of the ability to analyse or understand the context and build-up of the budget.

Another thought, what happens in an audit, external or tax (potentially going back seven years), when you cannot provide details to support entries in the accounts because the person’s personal details have been deleted as sanctioned by GDPR. Will the taxman accept this as satisfaction of an audit query? I suspect not.

Furthermore, in a digital world, our personal data footprint spreads far and fast. Sure, on the one hand it’s probably easier to search than paper information, but on the other: what a tangled web our digital lives are. That former employee’s email address in a chain of emails involving other people? A company newsletter with a captioned photograph of a team-building event, including the employee? A LinkedIn post written by that employee on behalf of the company, with a lively debate in the comments? Does other data, communication and content simply get razed to comply with the GDPR? “Sorry John, I know this was a valuable conversation with a customer and it would be good to keep a record of it, but it’s got to go because it mentions Pete. And, by the way, please delete all the copies you might still have of the newsletter from four years ago and replace it with this redacted one. Yes, I know we’ve ruined the picture by blanking out Pete’s face, but it is what it is…”

How is this workable? And is this even necessary: unless you are Jason Bourne, does it matter that you appear photographed with the winning company quiz team of 2014? Yet companies of all sizes could potentially get bogged down in administration, hunting down the most ephemeral of mentions within the 30-day compliance period. In the long-term, companies may reassess their corporate communications, or the systems they use – favouring one-system-to-rule them all to make searching for data easier, rather than best-of-breed systems that allow their people to do their best work. Or do companies start asking employees to opt out of their right to erasure to cover themselves for that one-time Pete is mentioned in the company newsletter? And would that even be legal?

One needs to ask when does personal data become company data? History can’t be changed, Pete was a part of the company, Pete’s salary was a part of the budget last year. The blog and the company newsletter represent the history of the company. Both the budget, the blog and newsletter are company property and reflect, in different ways, the company’s history. Does GDPR extend to changing or re-writing that history?

Some of the examples may seem a bit tongue in cheek but if one applies the letter of the law in it’s most draconian interpretation. It is early days yet: the GDPR has only been in place for a month and no doubt some of these details will get ironed out as we go. But with the US, Australia and India already indicating they will follow the European Union’s lead, there is no doubt this may rapidly become the global standard. And the number of GDPR notifications I am seeing from South African companies today is an indication of how borderless the digital world is. I hope we haven’t just hamstrung our ability to operate in an increasingly digital, data-driven world, by bogging it down in bureaucracy.

Replies (4)

Please login or register to join the discussion.

paddle steamer
27th Jun 2018 10:26

It does all somewhat remind one of Winston Smith in the Records Department at the Ministry of Truth.

Like a Multiverse in looped spacetime future events (say Eddie resigning) act as a feedback loop to events we consider set and in the past. If Eddie is eradicated from the past can he even be said to have ever existed in the first place.

Frankly the Western world has now totally disappeared up its own...........

Thanks (0)
By [email protected]
28th Jun 2018 16:04

While the problem described is indeed a problem, everyone should remember that there are multiple grounds (6 in total) for retaining data, and it's not automatic that a request to delete should be honoured.
And psuedonymisation does not have to be as simplistic as "A.N. Other".
But yes, it's a mess, and yes, it will take time for the new regime to settle down, and the inherent contradictions between GDPR and other legal obligations and necessities to be satisfactorily resolved.
The only clear conclusion is that despite years of design and preparation, lawmakers and legal drafting professionals screwed up big-time. A real question of (in)competence on the part of law-makers and their advisers. Are they really qualified to draft and make laws ?

Thanks (0)
By mgbacchus
29th Jun 2018 18:56

I wonder how GDPR deletion requests will work with items held in a blockchain which are, by definition, immutable. It will be possible of course to delete all the keys so the item is still there in the chain but nobody can read it any longer. But what if part of the information is still required and only part has to be deleted?

Thanks (0)
By bigkahunna456
12th Jul 2018 19:25

What happens if we have an employee who leaves under a cloud or is simply dismissed for gross misconduct (or criminality). Does this mean he can request that we delete their personnel record. If so how do we prevent him from rejoining the company after say 10 years when there is no one still in HR from the time was there?

Thanks (0)