Industry Challenge: Data Retention

In our recent GDPR at 2 webinar hosted by Data Protection World Forum, we asked the attendees to fill in a poll to identify what they felt were their main data protection challenges over the next 12 months. The key themes identified were to demonstrate accountability and to our surprise, data retentionIn data protection terms, a defined period of time for which information assets are to be kept..... It shocked us further that more participants highlighted data retention as a greater risk to their compliance programme than posed by Covid-19 or Brexit! This was especially prevalent in those attending from the FinTechThe development and use of software and technologies to provide automation and deliver improvements to the financial services industry...., Education and Medical industries who highlighted it as their primary concern. We at the DPO Centre have looked at why this might be the case.

Never a better time for a spring clean

A casual flick through social media will show that the Covid-19 pandemic has led to a number of people changing their outlook on their home life and business. We have all found time to do those jobs we’ve always put off (i.e. painting the living room, power-washing the patio, clearing out the shed etc.). Could it be that these thoughts are transitioning into the business world? Are Senior Management, IT Teams and Data Protection Officers (DPOs) now warming to the issue that this challenge within their business should be finally addressed?

The move to remote working

The ‘new normal’ has demonstrated that employees do not need to be chained to their desk, and working from home has in some cases seen increased productivity and wellbeing. Google, Mastercard and many others have indicated that they see their employees working from home for the foreseeable future and at Twitter, indefinitely. Again, looking at social media you will have seen several people boasting about the time and money they have saved by avoiding their daily commute. Business leaders could be looking at downscaling from their large city centre offices, saving money and promoting increased remote or home working. One resultant question arising from this is “what will happen with all those boxes stored in the basement?”. Archiving and digitisation transformation projects drive the importance of a comprehensive data retention regime as the business will only want to incur the costs of digitising, scanning or storing whatever data is absolutely necessary.

The problem is getting infinitely worse, are we at breaking point?

Data Controllers correctly place a lot of emphasis on the collection of the data, i.e. making sure it is lawful, establishing valid consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed...., ensure it is accessible to those who need it etc. However, the management of data once it has entered line of business applications or filing systems can often be neglected. If never addressed, the problem continually grows, i.e. it is easier to buy more server storage, ship more boxes off to archive or to buy more filling cabinets etc. than to address the problem. As the pandemic bites, businesses may be looking at the reduction of non-essential costs and could this be a targeted saving point?

Data Protection Officers biting back!

Compliance programmes are maturing. Businesses should have or be well in the processA series of actions or steps taken in order to achieve a particular end.... of developing their Register of Processing Activity, Information Asset Registers or similar. As part of the creation of these, DPOs and departmental leaders will have worked in collaboration to define the legal basis for processing, establish retention periods, appraised security etc. DPOs need to scrutinise the work of departments with regular audits, to ensure they are complying with the standards they have set. Often a short-term view will be taken with some employees either unhelpfully feeling that data deletion will be someone else’s problem in the future or having inadequate resources within their team to address the problem. Alternatively, a more cautious approach is taken with their ‘inner hoarder’ wanting to keep data “just in case…”. No doubt, DPOs will be able to recall the number of difficult conversations they have had with their business leaders, such as HR Directors, who want to keep copies of employee verbal warnings for years “just in case”. Such decisions would be an obvious contravention of the storage limitation principle and the expectations of data subjects. Are DPOs now feeling this tension and are now seeking to fight back?

Savvier Data Subjects

Data Controllers are now receiving increased numbers of data subjects’ seeking to enforce their rights under the law. The ‘right to erasure’ is often badged with the more excitingly sounding ‘right to be forgotten’ which received has received greater publicity when the GDPR came into force, which resulted in the number of such requests growing. Requests will be granted where the personal dataInformation which relates to an identified or identifiable natural person.... is no longer necessary, such as when the retention period has expired. Data subjects are becoming more informed and will know when this is the case. Poor data retention schemes mean that Data Controllers are open for criticism for being reactive to comply with such requests rather than managing data retention proactively in the first instance.

The effect of Gaughran v. UK

In February 2020, Mr Gaughran successfully challenged the Police Service of Northern Ireland’s continued retention of his personal data following his drink drive conviction being spent in 2013. His DNA sample was destroyed in 2015, but his digital DNA profile, his fingerprints and photograph were retained. The European Court of Human Rights held unanimously that there had been a violation of Article 8 (right to respect for private and family life) of the European Convention on Human Rights. Whilst the extent of data retention was not the decisive factor, the Court felt that the failures to consider the seriousness of the crime, failure to establish the need to retain data indefinitely and the absence of a review process, all led to a failure to strike a fair balance between the competing public and private interests. If doubtful of this previously, this places a greater emphasis on the need for Data Controllers to demonstrate they have appropriately considered the necessity of their datasets and how long they need to keep them for. Failure to do so could result in costly litigation and unwelcome regulatory action.

Conclusions

Whilst there may not be an obvious front and centre reason for the current concerns raised by those attending the webinar, it is felt that a number of differing factors may have resulted in this view being formed. The unique situation we are presently in has allowed DPOs and other employees re-visit their action plans and objectives for the current year. Similarly, other employees may not be performing their normal ‘everyday’ duties as they would have done pre-pandemic. As in their home life, maybe employees are now feeling that now is the time to do the jobs they have previously seemed to put off (i.e. data deletion, cleansing, organising etc.) and as DPOs we feel that this could be too good an opportunity to miss!

 Are you looking for more guidance? Enquire below

Fill in your details below and we’ll get back to you as soon as possible