The GDPR and retention
In the third blog in our series on the General Data Protection Regulation (GDPR) we explore the issue of data retention under the GDPR.
Retention is all about IT security, isn’t it?
Not quite. The GDPR goes further than the Data Protection Act 1998 and, whilst IT security is an important issue, it is not the only issue to consider. Given that a breach of the GDPR can lead to considerable fines it is important that your organisation considers data retention.
If I have a lawful basis to process personal data, can I keep it forever?
Very likely not. The GDPR states that personal data should only be retained for as long as necessary.
There is no clear guidance from the ICO as to how “necessary” should be interpreted. Therefore each organisation will need to make a commercial decision about how long it should retain different types of data. Such a decision will need to centre on the needs of that organisation to retain that particular type of data: for example, if there is a regulatory reason why you need to keep a particular category of data, then that would be a valid justification for keeping the data for that period of time.
It is unlikely your organisation will be able to keep data “just in case”, instead there should be a clear justification for retaining data. For most organisations, it will be best practice to document any decisions made in a retention policy, which also ensures that data subjects are informed about how long their data will be retained. Such a retention policy will assist organisations in demonstrating their compliance with the data protection principle of data storage limitation.
The GDPR also imposes obligations upon organisations to ensure that any personal data is kept up-to-date and accurate. The longer your organisation retains personal data the more likely that this data will become out-of-date and the bigger the risk that your organisation fails to comply with the GDPR.
Where should I start?
Organisations should consider why they have the data and why they need to retain it. There will need to be a lawful basis for having the data in the first place and for retaining it.
A good starting point is to consider the following:
- the current and future value of the data;
- the lawful basis upon which you hold the data and whether you need to keep the data after that basis has expired;
- if so, what lawful basis are you relying on to keep it?;
- the costs, risks and liabilities associated with retaining the information;
- whether there are any legal or regulatory requirements to retain data (e.g. health & safety records or tax records);
- whether there are any industry standards for data retention (e.g. employment records to defend a potential Tribunal claim);
- the security of the retained data (therefore review your IT security systems and policies);
- the ease or difficulty of making sure it remains accurate and up to date and how you will implement this as a procedure;
- how you will securely delete information that is no longer required (i.e. you could consider a data disposal policy).
One of the buzzwords surrounding the GDPR is “pseudonymisation”. This means that, where data is retained, organisations should consider whether they could anonymise data or replace some data fields with pseudonyms. For example, if you are keeping information for equality and diversity records you can remove the name of the individual and only keep the required information.
Another key consideration is to ensure your staff have received training on the GDPR and the decisions your organisation has made about retention. Remember, your staff will be key to ensuring your business is compliant as they will most likely be handling personal data on a day-to-day basis.
Finally, it is also an opportunity to review your organisations IT & Security systems and policies. In our next blog in our GDPR series, we will be focusing on the issue of security and the GDPR.
At Royds Withy King, we have a specialist GDPR team who are on hand to assist with any of your GDPR queries. We can also offer everything from staff training to a GDPR retainer to help your business get GDPR ready, and for further detail please visit our GDPR page in which you will find multiple guides for your reading.
For more information on the GDPR and how it might affect your business, please contact Kate Benefer
01865 792 300 Email us
Corporate & Commercial
Our corporate lawyers will get you the right deal and protect your business, now and in the future.