I was wondering if anybody had any information pertaining to GDPR for HCM and particularly 'The Right to be Forgotten'? We have a customer who has asked this question and not being able to find anything on Google or MoS I thought I would ask here if anybody has any experience with any solutions being applied. My first thought is that a CEMLI would have to be created to solve this?
I would have thought the right to be forgotten doesn't apply to an HCM or Payroll system as the data is required as a legal obligation. The following is from the ICO (Information Commissioners Office).
The right to erasure does not apply if processing is necessary for one of the following reasons: •to exercise the right of freedom of expression and information; •to comply with a legal obligation; •for the performance of a task carried out in the public interest or in the exercise of official authority; •for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or •for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data: •if the processing is necessary for public health purposes in the public interest (eg protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or •if the processing is necessary for the purposes of preventative or occupational medicine (eg where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (eg a health professional).