Data Retention – The big privacy headache

Back in April, following the publication of the UK Data Protection Index’s fourth report, we wrote a blog about the perils of International Data Transfers and explored why 21% of respondents felt that these transfers were the biggest data protection challenge their organisation was then facing. However, it appears that the tide is turning…

Now, three months later, the latest DP Index report has now been published and it appears there is a new kid on the block challenging the status quo. This time around, the panel of over 400 privacy professionals chose data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. as the biggest concern currently facing their organisations, with it gaining 26% of the vote and thus overtaking International Data Transfers which received only 20%. Here, we take a look at why data retentionIn data protection terms, a defined period of time for which information assets are to be kept. has now taken the top spot.

The challenges of data retention

When talking about data retention, our DPO team is often met with big sighs and furrowed brows. Now, whilst accepting that retention is perhaps not as ‘rock ‘n’ roll’ as other data protection topics, it is a key part of complying with data protection legislation and, in particular, the GDPR’s storage limitationThe fifth GDPR principle which requires organisations to only store data for as long as it is needed. principle, which states that personal dataInformation which relates to an identified or identifiable natural person. should be stored in an identifiable format for no longer than is necessary to fulfil the purposes for which it was collected.

Creating a retention scheduleA catalogue of an organisation's information assets, aligned to an appropriate retention period for that asset type. can be challenging because, unfortunately, there is no one answer to the question of how long it is necessary to store personal data. Different types of personal data, stored within different documents or in different formats, can have wildly varying retention periods. In addition, if that fact did not make it difficult enough, these different retention periods originate from a variety of sources, such as statutes, case law, industry-specific standards, or best practice guidance. This means that finding all of the relevant retention periods for the different types of documents held within an organisation – or where there is no guidance determining what is reasonable – can be a challenging processA series of actions or steps taken in order to achieve a particular end..

Once a retention schedule has been created, however, the difficulties do not end there. Whilst having a comprehensive retention schedule is great, it means nothing if the procedures are not in place to facilitate the effective adherence to the retention periods contained within it. Although for electronic records it may be possible to automate some of the deletion process, this relies on the systems the personal data is stored on being designed and set up to enable this, which is not always easy if, as highlighted above, different documents have different retention periods.

Without automationA process or a system that operates automatically., manual disposal of both electronic and hard copy records is both a time-consuming and mind-numbing process. It is easy to see that even with the best of intentions, retention can fall by the wayside when other, more seemingly pressing, matters arise.

Why now?

The challenges discussed above are not new, which begs the question: why was data retention voted as the biggest challenge facing DPOs’ organisations now? Whilst we don’t have a concrete answer to this question, a few factors may have played a part:

• Increased DSARs

As the previous DP Index results have shown, the number of Data SubjectAn individual who can be identified or is identifiable from data. Access Requests (DSARs) that companies receive on average is increasing. In July 2020, DPOs reported that they had received on average 11 DSARs in the previous 30 days. This number was significantly higher in the November 2020 (18.04) and March 2021 (16.07) results.

This increase prompts organisations to take data retention more seriously as searching through databases and collating the personal data held on an individual can often make people realise just how much personal data they have stored away that may well no longer be required. As we all know, DSARs can be extremely time-consuming to fulfil, but the less personal data you store, the easier and less time-consuming DSARs are to deal with. If your organisation needs assistance with an increasing number of Data Subject Access Requests, our DSARs response services can help.

• Shift to home working

Part of the fallout of the COVID-19 pandemic has been a mass shift to remote working for many, and it seems that this trend is likely to remain. Flexible working is set to become the norm and with fewer people working on-site, many organisations are looking to downsize their office space. In addition to reducing the number of people in offices, reducing the number of hard copy records via digitisation is also likely to play a part in this. Digitisation projects are a great opportunity to do some document housekeeping, after all, there is no point in spending the time and money digitising documents you no longer need.

• Increased clarity over International Data Transfers

Whilst there are some explanations as to why concerns over data retention may have increased recently, another reason why it may have taken the top spot this quarter is that concerns over International Data Transfers have lessened in the last few months. Whilst previously there was great uncertainty about what the Schrems II ruling meant for transfers to the US, not only has it now been determined that SCCs with additional safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... can be used as the mechanism for transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another., the EU Commission has also published new EU SCCs that comply with the case’s ruling and the ICOThe Information Commissioner's Office (ICO) is the United Kingdom’s independent supervisory authority for upholding information rights in the public interest, ensuring compliance with the UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). has stated that UK SCCs will be forthcoming later in 2021.

Furthermore, although the UK’s adequacy decisionA decision adopted by the European Commission on the basis of Article 45 of the GDPR, which establishes that a third country (i.e. a country not bound by the GDPR) or international organisation ensures an adequate level of protection of personal data. Such a decision takes into account the country's domestic law, its supervisory authorities, and international commitments it has... had not been formally concluded at the time of this quarter’s DP Index survey, there was far more certainty than there had been earlier in the year that the UK would be deemed adequate by the EU Commission, which previously was a big concern for all.

Together, these two significant developments regarding International Data Transfers have provided a significant amount of clarity in this area which previously was lacking, thus allaying a lot of the concerns that many DPOs had. This increased clarity therefore may have paved the way for new concerns – such as data retention – to move to the forefront.

If you would like more information on data retention and how our Data Protection Officers can support you in this regard, do please contact us by completing the form below.