Those of us who work in privacy should be aware of the risks associated with holding on to personal data for longer than necessary. But for those who don’t, data retention can be a difficult area to manoeuvre. While there are certain situations where there are legal and statutory requirements to guide you, there are also circumstances where they do not exist, and it is left to you as an organisation to set reasonable time limits on the personal data you collect.
The “Storage Limitation” Principle
One of the seven principles within the General Data Protection Regulation (GDPR) is “Storage Limitation”, often referred to as data retention. To abide by this principle, you must know what data is being held and why, as well as justifying how long the data is kept. The only time that personal data can be kept for longer than was originally deemed “necessary”, is if it is being kept for one of the following reasons:
- Public interest archiving
- Scientific or historical research
- Statistical purposes
In these cases, the appropriate technical and organisational measures must be taken to safeguard the rights of the data subject. If this cannot be done and there is no lawful basis for keeping the data, then it is being held unnecessarily and should be anonymised or deleted.
Depending on the size of your organisation and the risk associated with your data processing, it may be useful to have a documented retention policy which lists the different categories of personal data you hold. Large organisations tend to process greater amounts of higher risk data and as such would benefit from having a written policy. Conversely, smaller organisations carrying out low-risk processing may not need to have a detailed documented policy. However, both types of organisations must regularly review the data they hold.
Deciding retention periods
Helpfully, some retention periods are already prescribed by laws or regulations. For example, medical records that relate to hazardous materials need to be held for at least 40 years due to the time it can take illnesses related to exposure to develop. Lawfully, payroll records should be kept for 6 years from the end of the relative tax year while financial audit records should be destroyed after 6 years. However, there are a multitude of other types of personal data that do not have established retention periods.
So, how do you define a retention period?
The easiest way to do this is to make sure that the retention period is proportionate against the purpose for retaining the data. A good example of this would be the processing of CVs in a recruitment company. A retention period of 20 years is not logical here as it is not proportionate to the purpose of assisting someone in finding employment. If you are not retaining the CV with a view that they may be suitable for future role or you have already successfully secured a role for the data subject, you will no longer have use for their CV. A retention period of 1 year after securing employment would be better suited as it considers any probation periods that may be stated in the employment contract. Continuing to keep the data any longer than this serves no purpose and could land you into trouble.
The benefits of proper data retention
Data storage is not cheap. By keeping and storing personal data that you do not need, you are acquiring needless additional costs that could be better spent elsewhere in your organisation. It is useless to hold on to data you do not need, pay for its’ storage and then continue to waste further resources trying to secure it. Additionally, holding records for longer than there is a purpose can result in substantial fines being issued to your organisation.
What can you do to ensure compliance?
- Record keeping – ensure that your Record of Processing Activities (RoPA) is frequently updated. Doing this will mean that you are always aware of what data you are processing, why it is being processed, where it is being kept and how long it has been there. Additionally, when it is time to erase data, having an up-to-date RoPA will make it easier to locate the personal data.
- Policies – having an easily accessible, clear-cut documented policy that all members of your organisation can refer to, will ensure that you do not retain data for longer than necessary.
- Review, review, review – make sure to regularly review both the RoPA and the retention policy. The RoPA will likely need updating on a more regular basis so quarterly reviews would be advisable. At the very least the retention policy should be reviewed annually.
If you need help understanding the requirements of how the GDPR applies to your organisation, Bridewell Consulting can help. We provide several Data Protection services including consultancy on one off projects, Data Protection Maturity Assessments, ISO27701:2019 Implementation and Data Protection Officer as a Service.