GDPR - Goals Data Deletion and Anonymization

When a user leaves a Legal Entity organizational unit (OU) and requests to be forgotten OR that user’s data is outside of the data retention period, goals are impacted in the following ways:

  • Individual Goals - If the user is the Goal Owner, the goal is deleted.
  • Shared Goals - If the user is the Goal Owner of a shared goal, the goal is deleted.
  • Manager Comments - If the user is a manager who has added comments to a subordinate's goal, the manager's core data such as First Name, Last Name, and Email Address are anonymized. That is, the comments remain intact, but any references to the manager are anonymized.

When a data deletion request is made based on time, the goal due date is used to determine when the data is deleted or anonymized. If the goal does not have a due date, then the goal creation date is used.

Considerations for Goals:

  • When a user requests to be forgotten OR that user’s data is outside of the data retention period and that user has created a Feedback request, then any goals that are used in the Feedback Requests are not deleted since the Feedback Request uses a snapshot of the goal from when the request is made. A best practice for administrators is to request the deletion of both Goal and Feedback Requests.
  • When a user requests to be forgotten OR that user’s data is outside of the data retention period and that user has goals within a Goal Rating or Goal Planning section of a Completed or Expired performance review, then those goals are not deleted because the goals reflected in these sections are snapshots of the goals. A best practice for administrators is to request the deletion of both Goal and Performance Review data.
  • If an owner of a shared goal is leaving a legal entity, a best practice is to reassign the shared goal prior to making a data deletion request. This can be done from the Goals Edit page or the Manage Shared and Dynamic Goals page. The owner can re-assign the goal in the Managed by section.