All articles

GDPR and workforce records: the right-to-erasure problem

When a worker requests erasure under GDPR, how do you honour that request without destroying your audit trail? We explain the approach ComplicEdge takes.

The tension

Under Article 17 of the UK GDPR, individuals have the right to request erasure of their personal data — commonly known as the "right to be forgotten." For most systems, this is straightforward: find the records, delete them, confirm completion.

But workforce compliance platforms face a genuine tension. The audit trail — which proves that compliance actions were taken, certificates were verified, and records were maintained — depends on every entry being present and unmodified. Delete a record from the middle of a hash-chained audit log and the chain breaks. The very integrity that makes the audit trail valuable is compromised.

So how do you honour a worker's data rights without undermining the evidence trail their employer is legally required to maintain?

Erasure is not always absolute

The right to erasure is not unconditional. Article 17(3) of the UK GDPR provides exemptions where processing is necessary for:

  • Compliance with a legal obligation
  • The establishment, exercise, or defence of legal claims
  • Archiving purposes in the public interest

For construction and regulated industries, employers often have legal obligations to retain certain workforce records — health and safety training evidence, site induction records, certification histories. These obligations don't disappear because a worker exercises their GDPR rights.

The key is to distinguish between personal identifiers and compliance evidence.

How ComplicEdge handles it: pseudonymisation

ComplicEdge uses cryptographic pseudonymisation to resolve this tension. When an erasure request is processed:

  1. Personal identifiers are removed — names, contact details, and other directly identifying information are irreversibly pseudonymised
  2. Compliance evidence is preserved — the fact that a certificate was held, verified, or expired remains in the audit chain, attributed to a pseudonymous identifier
  3. The audit chain stays intact — no entries are deleted or modified, so hash-chain integrity is maintained
  4. The pseudonymisation is irreversible — the mapping between the pseudonymous ID and the original identity is destroyed, not just hidden

The result: the employer retains the compliance evidence they need for legal and regulatory purposes, while the worker's personal data is no longer identifiable.

Legal hold

There are situations where even pseudonymisation must wait — for example, when records are subject to a legal hold due to ongoing litigation or a regulatory investigation. ComplicEdge supports legal holds at the record level, preventing any modification (including pseudonymisation) until the hold is lifted by an authorised user.

Every legal hold action is itself recorded in the audit chain, creating a clear evidence trail of when holds were applied and removed, and by whom.

The broader principle

GDPR compliance in workforce management isn't about choosing between data rights and legal obligations. It's about designing systems that can satisfy both simultaneously. That requires the right architectural decisions — field-level encryption, cryptographic pseudonymisation, append-only audit logs — made at the platform level, not bolted on as an afterthought.

Sources