Under the General Data Protection Regulation (GDPR), organisations must create a data retention policy to help them manage the way they handle personal information.
If you keep sensitive data for too long – even if it’s being held securely and not being misused – you may still be violating the Regulation’s requirements.
That might sound overly strict, but there’s a good reason for it. In this blog, we explain why that’s the case, how data retention policies work and how you can create one in line with the GDPR’s requirements.
What is a data retention policy?
A data retention policy is a set of guidelines that helps organisations keep track of how long information must be kept and how to dispose of the information when it’s no longer needed.
The policy should also outline the purpose for processing the personal data. This ensures that you have documented proof that justifies your data retention periods.
Aims and objectives
If you cast your mind back to the panic that preceded the GDPR taking effect, you’ll have a perfectly good understanding about why data retention periods are essential.
Organisations that hadn’t interacted with us in years came out of the woodwork to ask for our consent to keep hold of our data.
It showed just often our records sit on organisation’s databases long after we’ve finished using their services.
The organisation doesn’t want to get rid of the information, because it costs practically nothing to store customer details, but keeping it unnecessarily exposes it to security threats.
It only takes one piece of bad luck for an organisation’s systems to be breached, whether it’s a cyber attack or an internal error.
So, to limit the damage that data breaches can cause, regulators mandated that EU-based organisations must retain personal data only if there’s a legitimate reason for keeping it.
How long can personal data be stored?
Despite the apparent strictness of the GDPR’s data retention periods, there are no rules on how long personal data should be kept for.
Organisations can instead set their own deadlines based on whatever grounds they see fit. The only requirement is that the organisation must document and justify why it has set the timeframe it has.
The decision should be based on two key factors: the purpose for processing the data, and any legal or regulatory requirements for retaining it.
Data should not be held for longer than is needed and shouldn’t be kept ‘just in case’ you have a need for it in the future.
As long as one of your purposes still applies, you can continue to store the data.
You should also consider your legal and regulatory requirements to hold on to the data. For example, when the data is subject to tax and audits, or to comply with defined standards, there will be data retention guidelines you must follow.
You can plan how your data will be used and if it will be needed for future use by creating a data flow map.
This process is also helpful when it comes to locating data and removing it once your retention period expires.
There are two ways you can avoid data retention deadlines. The first is by anonymising data; this means that the information cannot be connected to an identifiable data subject.
If your data is anonymised, the GDPR allows you to keep it for as long as you want.
You should be careful about when you do this, however, because if the information can be used alongside other information the organisation holds to clearly identify an individual, then it is not adequately anonymised.
You can also circumvent data retention deadlines if the information is being kept for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
What to do with data past the retention period
You have two options when the deadline for data retention expires: delete it or anonymise it.
If you opt to delete the data, you must ensure all copies have been discarded. In order to do this, you will need find out where the data is stored. Is it a digital file, hard copy or both?
It’s easy to erase hard copy data, but digital data often leaves a trace and copies may reside in forgotten file servers and databases.
To comply with the GDPR, you will need to put the data ‘beyond use’. All copies of the data should be removed from live and back-up systems.
How to create a data retention policy
Your data retention policy should be part of your overall information security documentation process.
The first step is to gain a full picture of exactly what data you’re processing, what it’s being used for and which regulations are applicable to your business.
These regulations include, but aren’t necessarily limited to, the GDPR. For example, if you process individuals’ debit or credit card information, you may be subject to the PCI DSS (Payment Card Industry Data Security Standard).
Similarly, if you intend to comply with ISO 27001, the international standard that describes best practice for information security, you must take note of its requirements.
These compliance requirements will dictate what information must be included in your policy and the rules it should follow.
A simple data retention policy will address:
- The types of information covered in the policy
Different types of information will be subject to different rules, so you must keep a record of what data you are processing – whether that’s names, addresses, contact details, financial records and so on.
- How long you are entitled to keep information
Clients are sometimes surprised when we tell them that GDPR does not set out specific time limits for data to be held. The length of time you hold particular data for is a subjective decision for you to make based on your reasons for processing the data.
- What you should do with data when it’s no longer needed
Regular deletion of unnecessary data also reduces the amount of data you need to sift through to comply with subject access requests. It also reduces costs of storage and document management.
Going through your data retention policy on a regular basis gives you the opportunity to clean house and remove duplicated and outdated files to avoid confusion and expedite any necessary searches.
Try our data retention policy template
Creating a data retention policy can seem like a daunting task, but with our GDPR Toolkit, the process is made simple.
It contains everything you need to comply with the Regulation, including a GDPR data retention policy template that UK organisations can use to formalise your approach to compliance while saving time and money.
This toolkit also contains:
- A Gap Analysis Tool that you can use to measure your overall compliance practices;
- Guidance on how to complete your documentation requirements, with templates on pseudonymization, minimisation and encryption, to name a few;
- A roles and Responsibilities Matrix to help you understand who oversees certain tasks and function.
A version of this blog was originally published on 12 November 2018.