The GDPR (General Data Protection Regulation) states that any organisation must not keep data for any longer than it is needed.
Article 5(1)(e) states:
“Personal data shall be:
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”
Deciding your Data Retention Policy
Without specific retention periods set within the GDPR, it is up to your business to establish how long data should be kept for. When determining your retention periods, it is important to bear in mind that you will need be to be able to justify them. Your retention periods should be based on two key factors: the purpose for processing the data, and any legal or regulatory requirements for retaining it.
Data should not be held for longer than is needed and shouldn’t be kept ‘just in case’ you might need it. Old data is potentially toxic to an organisation. If you don’t need, get rid of it. However, as long as one of your purposes still applies, you can continue to store the data.
Legal and regulatory requirements should also be acknowledged, because you may need to keep hold of data for reasons such as tax and audits, or to comply with defined standards and guidelines. This is not considered to be keeping the information for longer than necessary because it is then being processed for the purpose of meeting your legal obligations. A good example of this is HR pay records being kept as required the HMRC.
What to do with Data once past the Retention Period
Your Data Asset Register can be amended to include retention dates. This allows the responsible person to track and then arrange deletion on or before the required date. Any failures to delete or inability to confirm if any data might exist on back-ups, mail servers or on personal computers should be recorded and a note added to the risk register.
If you don’t want to delete the data you can keep it of you anonymise the data. However, if there is any possibility that this can be linked to an individual then this means it has not been carried out properly.
If you go the deletion route you must also seek out paper copies of the data which could be slow and ultimately unsuccessful. This is why you need to know in advance where all your data might be. People love to print documents which is why interviews must be carried out during the discovery phase.
With this in mind, examining back-ups, email accounts and machines no longer in use should be checked and then permanently deleted.
If you have chosen the anonymisation route, the Regulation allows it to be kept for as long you wish. This means that the information cannot be connected to an identifiable data subject. If the data “could be connected to a natural person by the use of additional information”, then it is not adequately anonymised. A great deal of care should be taken to understand whether the data is really needed.
Under the storage limitation principle (Article 5(1)(e)), personal data can be retained for longer periods without being anonymised if the data is being kept for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
Maintenance of compliance is what all business strives to achieve but not all remember that GDPR is a journey and like car for example, it must be maintained. When considering data retention for maintenance of compliance understanding where your data is important. Without a data discovery project, you will find it impossible to then classify your data and therefore not knowing how you acquired the data will make it impossible to decide how long you should keep it. A Data Asset Register with someone in your organisation having responsibility for its upkeep will keep track of the information going in and out of your organisation, and its location whilst in the business.
The best method of tracking all the data your organisation holds is known as a data flow map which sets out how data flows around your business and allows you to identify the data you hold and where it is moving to and from.
These maps keep track of what data comes into your organisation, where it goes, who has access to it and where it is stored. A data flow map should be used in conjunction with an Access Policy to determine who has access to the data. It also allows you to plan how your data will be used and if it will be needed for future use – which is important when deciding your data retention periods.