The EU General Data Protection Regulation (GDPR), ushered in stricter requirements regarding how long personal data can be kept. Organisations need to be more considered and disciplined in their retention of individuals personal data. This quick guide is designed to help understand retention principles.
What does the GDPR say about retaining personal data?
The emphasis under the GDPR is data minimisation, both in terms of the volume of data stored on individuals and how long it’s retained.
To summarise the legal requirements, Article 5 (e) of the GDPR states personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. There are some circumstances where personal data may be stored for longer periods (e.g. archiving purposes in the public interest, scientific or historical research purposes).
Recital 39 of the GDPR states that the period for which the personal data is stored should be limited to a strict minimum and that time limits should be established by the data controller for deletion of the records (referred to as erasure in the GDPR) or for a periodic review.
Organisations must therefore ensure personal data is securely disposed of when no longer needed. This will reduce the risk that it will become inaccurate, out of date or irrelevant.
10 POINT GDPR DATA RETENTION CHECKLIST
1. Be transparent about data storage
Ensure you inform individuals that their personal data records may be stored in different locations and on different media, depending on operational benefits and efficiency. Put steps in place to ensure all personal data records, including copies or duplicates, are always properly managed.
2. Different types of data will have different retention periods
How long different categories of personal data should be retained for will vary based on your business needs. Decide on the appropriate retention requirements for different types of records for your business, based upon the following considerations:
a. what the data/information is used for
b. legal or regulatory requirements
c. agreed industry practices (where relevant)
d. the ease or difficulty of making sure it remains accurate and up to date
e. the current and future value of the information
f. the costs, risks and liabilities associated with retaining the information
3. Data retention schedule
Develop a data retention schedule which states how long each type of data will be retained for and the reasons why you have deemed that timescale to be appropriate. Give examples of why personal data is retained that demonstrates what you have taken into consideration (e.g. buying cycle for products or giving cycle for donations).
4. Some records will be permanently stored
The majority of records will be archived or destroyed at the appropriate time, as scheduled. However, a small proportion of records and artefacts deemed to be of permanent legal or historical significance will need to be preserved. Consider whether your organisation holds such personal data and ensure that it is identified in your Data Retention Schedule as referred to above.
5. Upon expiry of the retention period
Records which are out-of-date, inadequate or unnecessary can be misleading and lead to mistakes. It is essential that data is therefore archived or deleted according to your Data Retention Schedule. These activities should be carried out promptly and efficiently.
6. Can any data be retained?
After the applicable retention period has expired, data does not necessarily have to be completely erased, it may be sufficient in specific circumstances to anonymise the data, for example by erasing unique identifiers or erasing single pieces of information that identify individuals. Consider whether you have business needs to do this.
7. Special Categories of Personal Data
Handle personal data defined as “Special Categories of Data” under the GDPR with extra care. This includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning an individual’s person’s sex life or sexual orientation.
Where these types of personal data are collected or received and stored, ensure they are only processed in accordance with GDPR requirements for such data and only retained for as long as is necessary. After they have served the purpose for which they were collected they should be securely destroyed at the earliest opportunity.
8. Who is responsible?
Ultimate responsibility for compliance with the data retention requirements under the GDPR would usually lie with your organisation’s Data Protection Officer [or another designated senior staff member]. Responsibilities include drawing up guidance for good records management practice, procedures and promoting compliance as well as maintaining the master Data Retention Schedule.
9. Awareness and accessibility and training
Tell people about it! – Share your data retention policy internally
The Data Protection Officer [or other designated person] and, in turn, department managers/function heads (or people nominated by them) should share the relevant policy, procedures, retention schedules and advice with other employees.
Department / function managers and team leaders should ensure that their staff are adequately trained and are made aware of the key principles of the data retention and other related policies. Keep a record of which staff members are trained and when. As part of the training ensure employees have an understanding that they are bound by the terms of the policies and that there could be consequences of violating the policies including disciplinary action, up to and including termination of employment.
10. Take action and record the action taken
Ensure responsibility is taken for actioning decisions to dispose of or to continue to retain personal data. The decisions need to be documented alongside confirmation that personal data records have been destroyed confidentially and completely.
For more tools and a practical step-by-step framework see our Data Retention Guidance published June 2020
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.