The GDPR has been in effect since 2018, and most organisations have implemented comprehensive data protection programmes to manage personal dataInformation which relates to an identified or identifiable natural person. processing. However, questions still arise about how to apply the GDPR to historic records, specifically whether the GDPR applies to personal data collected before 2018.
It is important to understand that the GDPR applies equally to historic and current records, regardless of when the personal data was originally collected. This means that you must implement the requirements of the legislation in full and for all data you hold, no matter when it was collected.
In this blog we give a quick overview of how to understand the data you have, updating your retentionIn data protection terms, a defined period of time for which information assets are to be kept. policies, and reviewing your data against retention periods.
For further information about the GDPR and personal data, please refer to our previous blogs:
Knowing your data landscape is a crucial step in ensuring GDPR compliance and a data mapping exercise is essential for this processA series of actions or steps taken in order to achieve a particular end..
Companies often have old repositories of data, especially in deprecated systems that have been phased out or replaced. These systems might contain data that was previously overlooked. Common examples of this include:
Once you understand the data you have, check your current data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. schedules and policies. Make sure these are up to date and reflect the requirements of the GDPR and your organisation’s specific needs.
Refer to our blog Data retention and the GDPR: Best practices for compliance for further information and tips for implementing an effective data retention strategy.
If any data is no longer needed for the purpose it was originally collected, the GDPR requires that it is safely and securely destroyed. This helps minimise the risk of holding unnecessary data.
For data that falls within the current retention periods and is still required, you can also evaluate whether it needs to be stored in its current format. For example, consider if it would be more efficient to convert physical records to digital formats. Storing data in the most appropriate format can improve accessibility, security, and support compliance with data protection regulations.
The GDPR applies to all personal data of UK and EU residents, irrespective of the date it was originally collected. To ensure compliance, thoroughly understand your data by mapping and locating all processed personal information, even from outdated systems. Next, check your data retention scheduleA catalogue of an organisation's information assets, aligned to an appropriate retention period for that asset type. and policies, updating where necessary. Finally, review your data against retention periods, and securely delete any data that is not necessary.
The key to effective data management is to understand your organisation’s purpose for collecting data and align this with the GDPR principles of data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing., storage limitationThe fifth GDPR principle which requires organisations to only store data for as long as it is needed. and accuracyIn data protection terms, the concept of ensuring data is not incorrect or misleading..
If your organisation would benefit from additional support with any aspect of GDPR compliance, please contact us.
______________________________________________________________________________________________________________________________
In case you missed it…
______________________________________________________________________________________________________________________________
For more news and insights about data protection follow The DPO Centre on LinkedIn
Fill in your details below and we’ll get back to you as soon as possible