Spring cleaning – when & how to clear out data you no longer need
Clearing out personal data your business no longer needs is a really simple concept, but in practice it can be rather tricky to achieve! It throws up key considerations such as whether to anonymise and how to make sure its deleted or securely destroyed.
Let’s take a look at this in more detail.
Data retention and schedule
Businesses must only keep personal data as long as necessary and only for the purposes they have specified.
To manage this legal obligation successfully, you’ll need to start with an up-to-date data retention policy and schedule.
These should clearly identify which types of personal data your business processes, for what purposes, how long each should typically be kept and under what circumstances you might need to hold it for longer.
If your data retention policy or schedule is lacking, first focus on making sure they are brought up to scratch. If you’d like to find out more, please take a look at DPN’s Data Retention Guidance.
Steps to take when the retention period is reached
These are the 5 key steps when an agreed retention period (as shown on your retention schedule) is reached.
- Identify the relevant records which have reached their retention period
- Notify the relevant business owner to confirm they are no longer needed
- Consider any changes in circumstances which may require longer retention of the data
- Make a decision on what happens to the data
- Document the decision and keep evidence of the action
Making the right decision when the retention period is reached
There are different approaches an organisation can take when the data retention period is reached, such as:
- Delete it – usually the default option
- Anonymise it
- Securely destroy it – for physical records, such as HR files
Deletion of records might seem the obvious choice, and it’s often the best one too.
But take care how you delete data. Sometimes deleting whole records can affect key processes on your systems such as reporting, algorithms and other programs.
Check with your IT colleagues first. In some situations, you may decide it’s better to anonymise the data.
Can and should we anonymise personal data?
Most organisations want to extract increasing information and value from their digital assets. In some situations, it can be helpful to remove any personal identifiers so you can keep the data that remains after the retention period has been reached. For example,
- You might want to continue to provide management information or historical analysis, which you can do an anonymised form. This is quite common
- If you have data of historic marketing campaign responders, you may wish to keep certain non-personal campaign data in an anonymised form for reporting or analytical purposes, such as response volumes by segment, phasing of responses, and so on
- If you hold records of job applicants you may wish to keep certain demographics (such as gender or diversity information) in an anonymised form. This might support your equal opportunities endeavours
To be clear, anonymisation is the process of removing ALL information which could be used to identify a living person, so the data that remains can no longer be attributed back to any unique individuals.
Once these personal identifiers are deleted, data protection laws do not apply to the anonymised information that remains, so you may continue to hold it. But you have to make sure it is truly anonymised.
A word of caution…
The ICO highlights you should be careful when attempting to anonymise information. For the information to be truly anonymised, you must not be able to re-identify individuals
If you could, at any point, use any reasonably available means to re-identify the individuals, the data will not have been effectively anonymised, but will have merely been pseudonymised. This means it should still be treated as personal data.
Whilst pseudonymising data does reduce the risks to data subjects, in the context of retention, it is not sufficient for personal data you longer need to keep.
So the conclusion is simple – make sure you remove ALL personal identifiers so the data is truly anonymised.
How to manage deletion
There are software methods of deleting data, which may involve removing whole records from a dataset or overwriting them. For example, using of zeros and ones to overwrite the personal identifiers in the data.
Once the personal identifiers are overwritten, that data will be rendered unrecoverable, and therefore it’s no longer classed as personal data.
This deletion process should include backup copies of data. Whilst personal data may be instantly deleted from live systems, personal data may still remain within the backup environment, until it is overwritten.
If the backup data cannot be immediately overwritten it must be put ‘beyond use’, i.e. you must make sure the data is not used for any other purpose and is simply held on your systems until it’s replaced, in line with an established schedule.
Examples of where data may be put ‘beyond use’ are:
- When information should have been deleted but has not yet been overwritten
- Where information should have been deleted but it is not possible to delete this information without also deleting other information held in the same batch
The ICO (for example) will be satisfied that information is ‘beyond use’ if the data controller:
- is not able, or will not attempt, to use the personal data to inform any decision about any individual or in a way that affects them;
- does not give any other organisation access to the personal data;
- has in place appropriate technical and organisational security; and
- commits to permanently deleting the information if, or when, this becomes possible.
Destruction of physical records
Destruction is the final action for about 95% of most organisations’ physical records. Physical destruction may include shredding, pulping or burning paper records.
Destruction is likely to be the best course of action for physical records when the organisation no longer needs to keep the data, and when it does not need to hold data in an anonymised format.
Controllers are accountable for the way personal data is processed and consequently, the disposal decision should be documented in a disposal schedule.
Many organisations use other organisations to manage their disposal or destruction of physical records. There are benefits of using third parties, such as reducing in-house storage costs.
Remember, third parties providing this kind of service will be regarded as a data processor, therefore you’ll need to make sure an appropriate contract is in place which includes the usual data protection clauses.
Destruction may be carried out remotely following an agreed process. For instance, a processor might provide regular notifications of batches due to be destroyed in line with documented retention periods.
Don’t forget unstructured data!
Retention periods will also apply to unstructured data which contains personal identifiers. The most common being electronic communications records such emails, instant messages, call recordings and so on.
As you can imagine, unstructured data records present some real challenges. You’ll need to be able to review the records to find any personal data stored there, so it can be deleted in line with your retention schedules, or for an erasure request.
Depending on the size of your organisation, you may need to use specialist software tools to perform content analysis of unstructured data.
Whilst data retention as a concept appears straightforward, it does require some planning. There are situations where it might be best to keep certain data in an anonymised form, removing all personal identifiers, when it reaches its retention period.
And its important you don’t ignore unstructured data or physical data, as these may also contain personal data which needs action when its no longer necessary for you to keep it.
Simon Blanchard, March 2021
If you’d like some help with data retention, any of the specific areas covered above or any other data protection matter, Contact Us to discuss how DPN Associates could help you.
Other useful resources:
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.