Data Retention: Tips and Techniques

May 2021

We know we should only keep personal data for as long we need it, then destroy it.  It sounds simple, so why do so many organisations struggle to with it?

GDPR may have been enforced three years ago, but organisations have actually now had five years since GDPR was finalised in 2016 to get their house in order. Yet data retention still remains a challenge.

It’s not surprising. The list of personal data we hold can be extensive including the data of employees, customers, clients, website visitors and also perhaps supporters, enquirers and so on. This breadth of personal data may be used in many different ways for a wide variety of purposes.

Data retention is nuanced and complex. We can’t just apply a blanket retention period for everything. It requires a granular, considered and flexible approach. How long we should keep data depends on the purposes we need it for.

Some data may only be necessary for a very short period, for example, cookie session data. This should be deleted immediately as the browsing session expires. But other data is needed for far longer, such as employment records.

Organisations need sound policies and practices in place to govern data retention, to make sure they comply with legal requirements.

It also makes sense from a business perspective; robust data retention means less data to disclose (and explain) in response to a Subject Access Request and less data to worry about (and explain) in the event of a data breach.

So how should you tackle this in practice?

Let us help!

In brief, here are some key steps you can take.

1. Understand the risks
Keeping personal data too long, or indeed not keeping it long enough, could present risks.  So first understand what your risks look like – such as legal, security, commercial and reputational risks.

2. Make a positive start
It’s vital to understand the personal data you process and the varied purposes it’s used for. Do you have all this information documented? Many organisations will refer to their Records of Processing Activities (RoPA). But if you don’t currently have accurate & up-to-date records, then its wise to map your data flows and create a central log of your processing activities.

3. Deciding on retention periods
When deciding how long to keep certain types of data, bear in mind there are legal retention requirements you need to be aware for certain situations. Perhaps the most obvious example is the retention of employment data.

Where laws don’t define how long you should keep data, you need to make balanced justifiable decisions on how long you genuinely need the data and therefore what retention period should be.

4. Controllers, processors and sub-processors
Most businesses outsource some of their data processing to suppliers (processors). As a controller, you need to tell your processors how long they must keep your personal data and ensure this is covered in contracts with suppliers.

5. Creating a data retention policy and schedule
A data retention policy should say what you need to do to comply and the schedule confirms the specific retention periods.
The best tip here is to try to keep it simple. Get your colleagues involved so they can help make decisions regarding the data they process in their teams. Tell people why this is important and make sure they know the role they play.

6. Actions when the retention period is reached
What will you do when you reach the retention period? Firstly you should check to make sure there’s no genuine reason you still need to retain the data for longer, such as under legal hold. If not, then in most cases you may choose to destroy the data.

However in some situations you might wish to anonymise it. For example, you may choose to keep aggregated (non-personal) data for management information purposes.

7. Implementation of data retention periods
Think about the best way to gain support from your senior leadership team, to make sure you get traction across the organisation. There’s no point updating your retention policy and schedule if everyone ignores it!

Make sure you have agreed who makes the final retention decisions.  It’s also important to build in some flexibility, as circumstances may change.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.