Overcoming the challenges of data retention
Clearing out data you no longer need
How long should we keep our data? Sounds simple enough, but a question many businesses struggle with.
The UK GDPR tells us personal data should only be kept ‘as long as necessary for specified purposes’. So if your organisation is found to be storing data for don’t really need now, you could be subject to unwelcome scrutiny.
Perhaps the main risk here is if your business suffers a data breach. It could become far more serious if you couldn’t provide a suitable justification why you were still holding onto unnecessary data which was included in the breach. In effect, it means two violations of the law in one fell swoop! If you have to notify the individuals affected, what would you say?
Tackling the data we’re holding too long
This does require some thought and planning. As a pre-requisite, you’ll need to know what personal data your organisation holds and what purposes it’s being used for.
Creating a data retention policy is straightforward enough, but developing a record retention schedule can be more complex.
Most organisations use personal data for multiple purposes. You need to take account of each specific purpose and identify the appropriate lawful basis for that processing, before you consider an appropriate retention period. An up-to-date Record of Processing Activities can be a real asset here.
Deciding on suitable retention periods
Firstly, check if there’s a law which mandates you how long certain data must be kept. Laws may dictate minimum or maximum retention periods.
For example, in the UK employment law requires data on ex-employees to be kept for at least 6 years after they leave the business. In certain situations the retention period may be longer. For example, let’s imaging you’re a building firm and your employees have come into contact with hazardous substances as part of their job and you carry out health monitoring. The retention period for these records is much longer.
In many scenarios, however, there are no relevant laws which specify how long the data must be help. Examples include marketing, sales & account management records. In these situations organisations need to judge for themselves what an appropriate retention period should be, and be ready to justify their decision. Take a balanced and reasonable approach, based on your reasons for processing that data.
Deciding what period is ‘necessary’
Where there is no statutory requirement, we suggest speak with internal data owners / relevant functions. The following questions should help you reach the appropriate decision on a period you can justify:
a. Are there any industry standards, guidelines or known good-practice guidelines?
b. Does the product lifecycle have an impact on retention?
c. What are the business drivers for retention? Are they justifiable?
d. What evidence is there that the data is needed for the proposed amount of time?
e. Is there potential for litigation if its keep too long (or deleted too soon)?
f. Is it necessary to keep personal data to handle complaints?
Don’t forget your processors service providers
Controllers who use service providers acting as data processors, should make sure they provide clear contractual instructions about their data retention requirements.
Tell them the retention periods you need and give specific actions they should take when a retention period ends. For example, should they delete the data, return it to you or anonymise it? These may be listed in a data schedule, appended to the main contract or agreement.
Data retention can be tackled effectively if you get key stakeholders across the business engaged and involved. Agree retention periods and get started on implementing them.
For more tips, tools and templates…
Why not download DPN’s Data Retention Guide.