Back in April, following the publication of the UK Data Protection Index’s fourth report, we wrote a blog about the perils of International Data Transfers and explored why 21% of respondents felt that these transfers were the biggest data protection challenge their organisation was then facing. However, it appears that the tide is turning…
Now, three months later, the latest DP Index report has now been published and it appears there is a new kid on the block challenging the status quo. This time around, the panel of over 400 privacy professionals chose data In data protection terms, a defined period of time for which information assets are to be kept. as the biggest concern currently facing their organisations, with it gaining 26% of the vote and thus overtaking International Data Transfers which received only 20%. Here, we take a look at why data retention has now taken the top spot.
The challenges of data retention
When talking about data retention, our DPO team is often met with big sighs and furrowed brows. Now, whilst accepting that retention is perhaps not as ‘rock ‘n’ roll’ as other data protection topics, it is a key part of complying with data protection legislation and, in particular, the GDPR’s The fifth GDPR principle which requires organisations to only store data for as long as it is needed. principle, which states that Information which relates to an identified or identifiable natural person. should be stored in an identifiable format for no longer than is necessary to fulfil the purposes for which it was collected.
Creating a A catalogue of an organisation's information assets, aligned to an appropriate retention period for that asset type. can be challenging because, unfortunately, there is no one answer to the question of how long it is necessary to store personal data. Different types of personal data, stored within different documents or in different formats, can have wildly varying retention periods. In addition, if that fact did not make it difficult enough, these different retention periods originate from a variety of sources, such as statutes, case law, industry-specific standards, or best practice guidance. This means that finding all of the relevant retention periods for the different types of documents held within an organisation – or where there is no guidance determining what is reasonable – can be a challenging A series of actions or steps taken in order to achieve a particular end..
Once a retention schedule has been created, however, the difficulties do not end there. Whilst having a comprehensive retention schedule is great, it means nothing if the procedures are not in place to facilitate the effective adherence to the retention periods contained within it. Although for electronic records it may be possible to automate some of the deletion process, this relies on the systems the personal data is stored on being designed and set up to enable this, which is not always easy if, as highlighted above, different documents have different retention periods.
Without A process or a system that operates automatically., manual disposal of both electronic and hard copy records is both a time-consuming and mind-numbing process. It is easy to see that even with the best of intentions, retention can fall by the wayside when other, more seemingly pressing, matters arise.
The challenges discussed above are not new, which begs the question: why was data retention voted as the biggest challenge facing DPOs’ organisations now? Whilst we don’t have a concrete answer to this question, a few factors may have played a part:
As the previous DP Index results have shown, the number of An individual who can be identified or is identifiable from data. Access Requests (DSARs) that companies receive on average is increasing. In July 2020, DPOs reported that they had received on average 11 DSARs in the previous 30 days. This number was significantly higher in the November 2020 (18.04) and March 2021 (16.07) results.
This increase prompts organisations to take data retention more seriously as searching through databases and collating the personal data held on an individual can often make people realise just how much personal data they have stored away that may well no longer be required. As we all know, DSARs can be extremely time-consuming to fulfil, but the less personal data you store, the easier and less time-consuming DSARs are to deal with. If your organisation needs assistance with an increasing number of Data Subject Access Requests, our DSARs response services can help.
Part of the fallout of the COVID-19 pandemic has been a mass shift to remote working for many, and it seems that this trend is likely to remain. Flexible working is set to become the norm and with fewer people working on-site, many organisations are looking to downsize their office space. In addition to reducing the number of people in offices, reducing the number of hard copy records via digitisation is also likely to play a part in this. Digitisation projects are a great opportunity to do some document housekeeping, after all, there is no point in spending the time and money digitising documents you no longer need.
Whilst there are some explanations as to why concerns over data retention may have increased recently, another reason why it may have taken the top spot this quarter is that concerns over International Data Transfers have lessened in the last few months. Whilst previously there was great uncertainty about what the Schrems II ruling meant for transfers to the US, not only has it now been determined that SCCs with additional When transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of the personal data. They should ensure that data subjects' rights will be respected and that the data subject has access to redress if they are not, and that the GDPR principles will be adhered to whilst the personal data is... can be used as the mechanism for The movement of data from one place to another, this could be, for example, from one data controller to another, or from one jurisdiction to another., the EU Commission has also published new EU SCCs that comply with the case’s ruling and the The United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc. has stated that UK SCCs will be forthcoming later in 2021.
Furthermore, although the UK’s A status granted by either the EU Commission (EU) or UK government (UK) to third countries that provide personal data protection that is essentially equivalent to that provided in EU or UK law. decision had not been formally concluded at the time of this quarter’s DP Index survey, there was far more certainty than there had been earlier in the year that the UK would be deemed adequate by the EU Commission, which previously was a big concern for all.
Together, these two significant developments regarding International Data Transfers have provided a significant amount of clarity in this area which previously was lacking, thus allaying a lot of the concerns that many DPOs had. This increased clarity therefore may have paved the way for new concerns – such as data retention – to move to the forefront.
If you would like more information on data retention and how our Data Protection Officers can support you in this regard, do please contact us by completing the form below.
Fill in your details below and we’ll get back to you as soon as possible