How long should we keep different types of personal dataInformation which relates to an identified or identifiable natural person.?
How can we create an effective data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. policy and schedule?
What role do data controllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data., processors and sub-processors have in data retentionIn data protection terms, a defined period of time for which information assets are to be kept.?
These are some of the most frequently asked questions about data retention and compliance with data protection laws. In this blog, we delve into these questions and provide practical guidance to help you navigate the complexities, from determining the lifespan of different types of personal data to creating an effective data retention policy and schedule.
Data controllers determine the purpose of any personal data processed, and the means of processing. Data processorsThird parties processing personal data on behalf of a data controller. processA series of actions or steps taken in order to achieve a particular end. personal data on behalf of the controller, and then sub-processors are third parties engaged by the processor.
Whether you’re a data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data., processor, or sub-processor, understanding your responsibilities and obligations is essential. It is important to manage data retention in a way that ensures compliance with the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR) and meets your business needs.
Note: The EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). and the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. are considered under the same umbrella here, focussing on the common aspects for businesses operating in both or either the EU and the UK. However, there are specific differences and nuances in the legislations that may be applicable to your organisation. For further advice, please speak to your Data Protection Officer (DPO).
The General Data Protection Regulation (GDPR) has set new standards for the way businesses handle personal data, including what type of data is collected and the length of time it is kept.
Implementing a robust data retention policy is crucial, and the GDPR’s principles of Storage LimitationThe fifth GDPR principle which requires organisations to only store data for as long as it is needed., Minimisation, and AccuracyIn data protection terms, the concept of ensuring data is not incorrect or misleading. play a vital role in shaping such a policy.
Storage Limitation: Ensure personal data is not retained beyond the necessary time period
Minimisation: Collect only the minimal amount of data required
Accuracy: Maintain accurate, up-to-date, and reliable information
In other words, the processing of personal data must be adequate, relevant and limited to what is necessary in relation to the specific purposes of the processing. You must only process personal data that is needed for the operations of your business.
NecessityThe purpose of the personal data processing activity must not be able to be achieved by a less intrusive method. is a key factor in an effective data retention timeframe and is determined by your purpose for processing. In other words, your reason for handling and storing personal data will dictate the length of time you keep it.
Storage periods will depend on several elements, such as the industry sector, the type of data processing, and any other regulatory requirements that apply. However, in some circumstances there is a statutory retention. For example, finance records are generally maintained for 7 years (6 years plus current year), in accordance with the Companies Act.
Under the GDPR, the key requirement for data retention is that the chosen duration must be justified, and this decision must be documented.
Note: Government departments and official law enforcement bodies can also request personal data records to be preserved for longer than an organisation’s retention schedule. For example, the UK’s Goddard enquiry (2015) required all children’s social care records to be maintained indefinitely for ongoing investigations, which was approximately 10 years.
A data controller is primarily responsible for determining the data retention timeframe, as they decide the purposes and means of processing personal data.
Data processors and sub-processors are responsible for processing personal data on behalf of the controller. They must follow the controller’s instructions, including abiding by a data retention timeframe, which should be set out in the contract or data processing agreement. Details should also include what will happen to the personal data once the contract is terminated.
If you are the data controller, you must ensure you have a comprehensive data retention policy and schedule in place and communicate this to any data processors or sub-processors you have engaged, such as cloud storage companies or marketing agencies. As a controller, you carry the primary responsibility for complying with data protection laws.
1. The changing regulatory landscape – Between February 2021 and May 2023, there have been 17 additional countries enacting data privacy laws, bringing the total to 162 globally. At least 20 other countries currently have proposed bills, including Nigeria and Pakistan. Although influenced by the GDPR, international laws vary greatly and require expert knowledge to ensure compliance. In addition, there are updates to existing laws. Organisations can struggle to keep up with these changes, especially when processing and storing personal data across multiple jurisdictions.
2. Data subjectAn individual who can be identified or is identifiable from data. awareness – Since the implementation of the GDPR, data subjects are increasingly aware of their rights and more likely to make a data subject access requestA verbal or written request made by a data subject to access their data (in a portable format if requested), be informed about how it is used, to have their data modified if it is incorrect, or to have it deleted. (DSAR). This can place a burden on an organisation’s data retention framework, as it must be equipped to efficiently locate, retrieve and respond to a DSAR, providing the requested data within a strict timeframe.
Read our DSAR FAQs for more information.
3. Data volume – It can be difficult to manage the vast quantities of data that are collected daily from various channels, such as email, social media, websites, and virtual stores. Not to mention paper archive records, which can create a significant challenge for companies to organise.
4. Over-retention – Without specific rules on timeframes, organisations can often keep information for too long. This can increase operational costs for storage, backup and retrieval. There is also the heightened risk of reputational damage if a cyber-attack or breach were to occur, which is a breach of the 5th Principle of the GDPR and can potentially result in regulatory action.
1. The changing regulatory landscape – Keep updated on the latest data protection laws by seeking advice from an experienced Data Protection Officer (DPO) – a dedicated DPO will regularly review and update your data retention policies and schedules and ensure they are compliant with the latest regulations.
Solution – Hire a dedicated Data Protection Officer (DPO)
2. Data volume – To handle increasing volumes of personal data you should implement data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing. practices and only collect what is absolutely necessary. A practical tip is to conduct a data audit. This involves reviewing the types of personal data your organisation collects and identifying what is needed. For example, an online store collects customer names, addresses and payment information for order fulfilment. However, the store also collects dates of birth and marital status, which, depending on the types of products sold, could be considered excessive and in breach of the GDPR’s data minimisation principle.
Solution – Conduct a data audit and implement data minimisation practices
3. Over-retention – To avoid keeping information for too long, it is important to have a clear data retention schedule for each type of data. Automated tools can be used to manage the schedule and delete or anonymise data that is no longer needed. Employees also need to be made aware of data retention policies and schedules, so they understand what to do with the data.
Solution – Implement a clear data retention schedule
Effective management of personal data can help you to reduce risks and maintain compliance with data protection laws.
Here are some helpful tips for your data retention strategy:
See also the Retention Policy template in our free-to-download GDPR Toolkit
There are several challenges for businesses when it comes to data retention and GDPR compliance. The key is to understand your organisation’s purpose for collecting personal data and align this purpose with the principles of data minimisation, storage limitation and accuracy.
Documentation is essential for GDPR compliance, and a comprehensive data retention policy and schedule are a requirement. However, it is important to remember that effective data management is not just about compliance.
Individuals are more likely to engage with organisations they trust to handle their personal data responsibly. Investing in robust data management practices and having a well-defined data retention schedule is a win-win for both compliance and customer satisfaction.
The DPO Centre has one of the largest teams of Data Protection Officers (DPOs), working with over 800 organisations across the spectrum of industry sectors.
If you need help with your GDPR compliance or you are considering an outsourced data protection solution, please get in touch by completing the form below.
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible