Tips for tackling data retention
We know we should only keep personal data for as long we need it, then get rid of it. It’s a core data protection principle and sounds simple, doesn’t it?
Now consider all the kinds of personal data we may hold, such as the data of employees, customers, clients, website visitors, enquiries and so on. Then think about the many different ways we might use this data. These data types and usage affect how long the data should lawfully be kept.
You can’t just apply a blanket retention period for everything (such as 7 years). Some data may only be necessary to keep for a very short period (for example, cookie session data). Other data is needed for much longer (for example, employee and financial records).
It quickly becomes clear you need a sound process to ensure you comply with the data retention requirements under GDPR. So how should you tackle this in practice?
Let us help you
We’ve recently published industry-led guidance on data retention. This useful step-by-step guide helps to understand the topic and gives you helpful tools to tackle it successfully across your organisation. In brief here are the key steps:
1. Understand the risks
Keeping personal data too long, or indeed not keeping it long enough, poses risks. Assess what your risks are, such as security, legal, commercial and reputational.
2. Getting started
Understand the personal data you process and the purposes it’s used for. Do you have all this information? A good place to start is to map your data flows and log your processing activities. It helps to categorise your data in a way that suits your business.
3. Deciding on retention periods
What factors do you need to consider when deciding how long to keep certain types of data? For example, what are the legal requirements on retaining certain data? Where laws don’t define how long you should keep data, you need to make balanced justifiable decisions on what time period would be appropriate.
4. Controllers, processors and sub-processors
Most businesses outsource some of their data processing to suppliers. So what are the roles of each party regarding data retention? As a controller you need to tell your suppliers how long to keep your personal data for and ensure this is covered in your contracts with them.
5. Creating a data retention policy and schedule
The best tip here is to keep it simple, start small and ramp it up as your needs change. Get your colleagues involved so they can help you make decisions. Tell people why this is important and make sure they know the role they play.
6. Action when the retention period is reached
What will you do when you reach the retention period? In most cases you may choose to delete the data, however in some situations you might wish to de-personalise the data. For example when you still need to keep aggregated (non-personal) data.
7. Implementation of data retention periods
Think about the best way to get support from your senior leadership. Make sure you have agreed who makes the final decisions. It’s also important to build in some flexibility, circumstances may change.
The DPN’s Data Retention Guidance was written by data protection specialists from a broad range of sectors and it expands on all of the points above.
It often helps to know how others have approached it. The guide also includes three useful case studies covering a charity, a travel business and a construction and infrastructure business, so you can learn from their experiences.
Simon Blanchard, June 2020
LISTEN IN NOW to get great tools and advice as specialists discuss data retention and minimisation
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.