A significant minority of HR departments have confessed to putting their companies at risk of breaching data protection laws, by not properly disposing of candidate and employee personal details.
The survey by CIPHR found a marked discrepancy between the proportion of companies that have full rafts of data protection policies in place and those which are actually enforcing them correctly.
While 87 per cent of the 137 HR professionals polled reported that they had set policies for retaining and deleting employee, leaver and candidate data, only 69 per cent were actually carrying out the mandated deletion.
Claire Williams, head of people and DPO at CIHPR, warned that this is a cause for concern.
She said: “We’re entering a period now where HR professionals need to focus on enforcing the policies they’ve put in place.
“While the majority of organisations have done the necessary work to write policies, create new procedures and train staff, there remains a question over whether data-protection principles have actually been built into the design of the organisation, to ensure they are being adhered to consistently. It is proof of an intrinsic culture of data protection that the Information Commissioner’s Office (ICO) would be looking for during an inspection.”
Nevertheless, 87 per cent of respondents said that they were confident that their HR teams were compliant with the GDPR.
CIHPR’s survey results are echoed by another recent study – this time carried out by Aon.
This found a disturbing lack of awareness about data protection duties among small business owners, more than half of whom were not aware that losing paper files constitutes a data breach just as much as being hacked.