The First Mate says to the pirate, “Cap’n, I’ve destroyed all our old crew lists. All records of everyone we made walk the plank have also gone. I threw them all overboard”. The pirate says ‘Why on earth would you do that?’. ‘GDP Arrrrr” the First Mate replies.
GDPR isn’t funny and neither is the joke, but you’re here now!
So…how long should you retain Information which relates to an identified or identifiable natural person.... for?
If someone asked you that question about the data you’re responsible for, which would you do?
a) Shrug your shoulders and say, “We already retain everything forever, don’t we?”
b) Say, “I don’t know”, but we’re working on a In data protection terms, a defined period of time for which information assets are to be kept.... policy?
c) Pull a retention policy out of your policy guidelines and ask which type and category of data they were referring to?
Well done if you chose c) – go take a cruise, just avoid pirate ships! GDPR enforcement is now a reality and yet managing data retention remains a big challenge for most organisations.
Before the GDPR. Before Facebook. Before Google. A longstanding principle of European data privacy law has been that data should be held for “no longer than is necessary”. The GDPR itself does not specify exact data retention periods, in fact there is no one place you can go to that provides them. This is because the duration your organisation holds data is specific to your organisation and the context in which it gathered/uses that data.
It is, therefore, imperative that you understand and document your activities around data retention, to ensure that you can demonstrate compliance.
The best time to deal with your organisation’s data retention policy was yesterday – the next best time is today.
If you require assistance implementing a retention policy, please contact us for further information on our services or to find out how we can help you improve your compliance with the GDPR.