The First Mate says to the pirate, “Cap’n, I’ve destroyed all our old crew lists. All records of everyone we made walk the plank have also gone. I threw them all overboard”. The pirate says ‘Why on earth would you do that?’. ‘GDP Arrrrr” the First Mate replies.
GDPR isn’t funny and neither is the joke, but you’re here now!
So…how long should you retain personal dataInformation which relates to an identified or identifiable natural person. for?
If someone asked you that question about the data you’re responsible for, which would you do?
a) Shrug your shoulders and say, “We already retain everything forever, don’t we?”
b) Say, “I don’t know”, but we’re working on a retentionIn data protection terms, a defined period of time for which information assets are to be kept. policy?
c) Pull a retention policy out of your policy guidelines and ask which type and category of data they were referring to?
Well done if you chose c) – go take a cruise, just avoid pirate ships! GDPR enforcement is now a reality and yet managing data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. remains a big challenge for most organisations.
Why is this important now?
Before the GDPR. Before Facebook. Before Google. A longstanding principle of European data privacy law has been that data should be held for “no longer than is necessary”. The GDPR itself does not specify exact data retention periods, in fact there is no one place you can go to that provides them. This is because the duration your organisation holds data is specific to your organisation and the context in which it gathered/uses that data.
It is, therefore, imperative that you understand and document your activities around data retention, to ensure that you can demonstrate compliance.
Some interesting retention periods you may not know
-
- Maternity medical records – 3 years after the end of the tax year in which the maternity period ends (The Statutory Maternity Pay (General) Regulations 1986 as amended)
- First aid training – 6 years after employment – Health and Safety (First Aid) Regulations 1981
- Whistleblowing reports and documents linked to an investigation which is partially or wholly substantiated. – 6 months following the outcome of the report or any remedial action taken because of the report – Public Interest Disclosure Act 1998 (‘PIDA 1998’) Employment Rights Act 1996
Here are some steps to help you nail down data retention for your organisation:
-
- Be clear that the requirement to retain data for “no longer than is necessary” applies to personal data. Other data, which is not personal, falls outside the scope of data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data..
- Recognise that you should have a data retention policy, supported by a retention scheduleA catalogue of an organisation's information assets, aligned to an appropriate retention period for that asset type. and procedures for staff to implement them as a priority.
- Without an active retention policy, in the event of a data security incident or a subject Access Request (SAR), you will have a lot more affected data to deal with. This could have a big impact on potential costs, risks and negative press for your organisation.
- In practice, a perfectly applied retention policy is almost impossible to achieve. However, a working, evolving retention policy with supporting schedules, procedures and written justifications is a good place to start.
- Where it is necessary to hold personal data for long periods of time, ensure that your policy stipulates that it should be anonymisedAnonymised refers to data that has undergone a process of transformation to remove or alter personal data in such a way that individuals can no longer be identified from it, and it is impossible for that process to be reversed and the data to be re-identified. Anonymised data is considered non-personal and falls outside the scope of the GDPR. or pseudonymised, or distilled down to just statistical data, wherever possible. It may, for example, be interesting to know how many attendees at your event were disabled, so that you can plan your next venue choice accordingly, however it may not be necessary to know exactly which of the delegates they were.
- When creating your retention policy/schedule/procedures, document clear justification for keeping the data for the length of time that you do, e.g. due to a legal obligation.
The best time to deal with your organisation’s data retention policy was yesterday – the next best time is today.
If you require assistance implementing a retention policy or any of our other data protection services, please contact us for further information on our services or to find out how we can help you improve your compliance with the GDPR.