Search our news, events & opinions

19 July 2018 0 Comments
Posted in Opinion, Technology & media

Should you keep or delete your company’s data in a post-GDPR world?

Author headshot image Posted by , Partner

The length of time for which various types of personal data can be retained for is still a big question for many organisations working towards GDPR compliance. With the new Data Protection Act 2018 now in force, it is more important than ever to get retention right and know when to keep and when to delete.

So you may think that everything you need to know is already in the GDPR, but this isn’t actually the case. The Data Protection Act 2018 (DPA) incorporates GDPR into UK law, but it also extends the data protection regime and exercises flexibilities where the GDPR permits discretion for member states to legislate in certain areas.

An example of this is in relation to the processing of special category data – this is personal data which is more sensitive and therefore needs more protection. Examples of special category data include race, ethnic origin, health or sexual orientation. The GDPR states that you should not process special category data unless you have a lawful basis for processing and satisfy a specific condition.

One of the specific conditions which can be used to process special category data is that the processing is necessary in the field of employment, social security and social protection law. An example of where this condition will likely be relied on is where an organisation processes data about an employee’s health. However, the DPA 2018 places explicit additional obligations in these circumstances, which include:

  • the requirement to have a policy which explains the procedures in place to secure compliance when processing personal data – this will usually be in a privacy policy or privacy notice; and
  • the requirement to have a policy to explain why and how long personal data is retained and when it will likely be erased – this will usually be set out in a separate data retention policy.

The requirement to have a privacy policy should come as no surprise – think back to 25 May and the number of emails in your inbox about updates to privacy policies…

However, many organisations still don’t have retention policies in place and not having one may limit the circumstances when an organisation can process data.

Retention policy – one size fits all?

Unfortunately, it is not that simple. Any retention policy should set out how an organisation classifies and manages the retention and disposal of the personal data processed. However, the specifics will be different because no organisation processes data in exactly the same way and for the same purposes.

By having a retention policy, your organisation will be complying with many aspects of the GDPR and DPA 2018. For example, the principle of transparency – by having this policy, your organisation is being open, honest and clear about data retention. It is also complying with its obligation to keep data up-to-date and accurate. In the retention policy the procedure for erasing data should be clearly explained. Following a clear procedure will help prevent data becoming out-of-date and inaccurate.

Remember, personal data should only be retained for as long as necessary, as outlined in our previous blog on retention. How long is necessary? That depends on a number of factors such as the type of personal data processed, the culture of the organisation and the industry operated in – there may be some industry-specific laws which dictate how long personal data must be kept for.

As well as meeting legal requirements, a clear retention policy will help your organisation operate efficiently – when data is properly retained, your organisation will not hold unnecessary and irrelevant information.

What should you actually be doing?

We recommend that your organisation:

  • undertakes a review or audit of the type of data collected and why
  • has a written retention policy: there are many different ways of structuring a data retention policy, but at the very least the policy must include who is responsible for the policy, retention lengths, storage and erasure procedures, any special circumstances where data may be retained and who the reader can contact with any questions
  • communicates the policy to staff to ensure they are trained and aware of it – particularly to ensure the policy is followed and so that staff know how to report non-compliance
  • maintains and reviews the retention policy from time to time to ensure it is fit for purpose and to check it is being complied with.

Can you help us to help you?

We want to hear from you about your most important and ongoing GDPR related questions. What issues do you worry about the most, or where do you think there could be potential problems for your industry? Tick the boxes below, and if you can leave us a message. All entries are anonymous.

    Data breaches
    Data processing agreements
    Data Protection Act 2018 vs GDPR
    Data retention
    Individual rights
    International data transfers (outside the EU)
    Legitimate interests
    Marketing and compliance
    Special category data
    Subject access requests
    When is my organisation data controller and/or data processor?


    At Royds Withy King, we have a specialist GDPR team who are on hand to assist with any of your GDPR queries. We also offer everything from staff training to a GDPR retainer to help your business get GDPR compliant.

    0800 923 2073     Email

    Leave a comment

    Thank you for choosing to leave a comment. Please keep in mind that comments are moderated and please do not use a spammy keyword or a domain as your name or it will be deleted.





    Learn more


    T: 01793 847 722 (DDI)

    Search our news, events & opinions