Aug 11, 2020 | Articles, GDPR

Data Retention and the GDPR

Howard Freeman

Howard Freeman

How will you tackle data retention?

Two plus years on from GDPR enforcement, does your housekeeping need a refresh? How long you will keep personal data raises lots of questions. Where to start? How to judge necessity? Have you considered your method of disposal of the data when the retention period ends? How will you tackle data retention and the GDPR?

Many businesses ask us this question every day.

It makes commercial sense to get to grips with retention. Keeping and using data has a cost. It is better to delete it when you no longer need it. ‘Storage limitation’ is also one of the six data protection principles in the GDPR. Therefore, keeping data longer than necessary exposes your business to greater risk.

Whether you are beginning to think about this, have planned a project, or are reviewing what you currently have, we can offer guidance on data retention to support you.

Time limits for data retention
Data retention and the GDPR
How long you will keep personal data raises lots of questions.

Risks in keeping Data

Keeping data for longer than you should could lead to problems if a breach occurred. If you lose data that you had no legal right to retain, the regulator is likely to take a dim view of this and a fine is likely.

Your problems won’t end there. If the data lost, to which you had no right to retain, legal action could result. For example, if the rights and freedoms of those whose data you lost were affected, they are likely to sue, and win.

Reputational damage as a result could also prove costly.

Maintaining Compliance 

Staying compliant is desirable by all business leaders. GDPR is a journey and your compliance must be maintained. When considering a data retention policy to help you maintain your compliance, you need to know where your data is and where you acquired it.

Therefore, a data discovery project is required to help you classify your data. This will help you understand how and where your business acquired the data. Understand this and it is then possible to decide how long you should keep it. A Data Asset Register is critical. Without it, your data retention policy is worthless. You also need to understand how data moves sound your business.

The method of tracking all of the data your organisation holds is known as a data flow map. This sets out how data flows around your business and allows you to identify the data you hold and where it is moving to and from.

Your Data Flow Map allows you to track of what data comes into your organisation You can also record where the data moves to, who has access and how and where it is stored. The latter part will be vital in cloud based environments now that the EU-US Privacy Shield has been invalidated. A data flow map should be used in conjunction with a User Access Policy to determine who has access to the data. This is very important when deciding your retention periods.

If you would like to discuss data retention, data asset registers or anything else we would be happy to help. You can contact us here or book a call here. Alternatively you can call us on 03333 22 1011.


Can we help?