Under the GDPR (General Data Protection Regulation) an organisation must not keep data for longer than it is needed.
Article 5(1)(e) of the GDPR states:
“1. Personal data shall be:
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”
Setting data retention periods
There are no specific retention periods set under the GDPR, so it is up to your organisation to establish or identify them. When determining your retention periods, it is important to bear in mind that you will need be to be able to justify them. Your retention periods should be based on two key factors: the purpose for processing the data, and any legal or regulatory requirements for retaining it.
Data should not be held for longer than is needed and shouldn’t be kept ‘just in case’ you have a need for it in the future. As long as one of your purposes still applies, you can continue to store the data.
Legal and regulatory requirements should also be acknowledged, because you may need to keep hold of data for reasons such as tax and audits, or to comply with defined standards and guidelines. This is not considered to be keeping the information for longer than necessary because it is then being processed for the purpose of meeting your legal obligations.
What to do with data past the retention period
Once you have gone past the data retention period you have two options: delete it or anonymise it.
If you opt to delete the data, you need to ensure all copies have been discarded. In order to do this, you will need find out where the data is stored. Is it digital, hard copy or both?
It can be easy to erase hard copy data, but digital data often leaves a trace behind and copies may reside in forgotten corners of your file servers and databases. To comply with the Regulation, you will need to put the data ‘beyond use’. All copies of the data should be removed from live and back-up systems.
If that data is anonymised, however, the Regulation allows it to be kept for as long as an organisation wants. This means that the information cannot be connected to an identifiable data subject. If the data “could be attributed to a natural person by the use of additional information”, then it is not adequately anonymised.
Under the storage limitation principle (Article 5(1)(e)), personal data can be retained for longer periods without being anonymised if the data is being kept for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
How to stay compliant
In order to remain compliant with the GDPR and only keep data for as long as necessary, you need to know where all your data is. If you don’t keep track of the information going in and out of your organisation, and where it is while it’s in your organisation, you will not be able to distinguish when it has gone past the retention period, or locate it when it has.
Data flow mapping is a process used to keep track of all the data your organisation holds. Organisations often process much more data than they realise, so it is vital that they create data flow maps to identify the data they hold and where it is moving.
These maps keep track of what data comes into your organisation, where it goes, who has access to it and where it is stored. It also allows you to plan how your data will be used and if it will be needed for future use – which is important when deciding retention periods.
As well as being a useful tool to keep track of your data, it can also be used to make data subjects aware of how their data is being used, in line with the GDPR.
Get started with data flow mapping
You can learn more about data flow mapping with our free green paper, Conducting a Data Flow Mapping Exercise Under the GDPR. This green paper will help you understand how to effectively map and keep track of the data in your organisation in order to comply with the Regulation.
Data flow mapping can have its challenges, but you can simplify the whole process by using data flow mapping software.
Vigilant Software’s Data Flow Mapping Tool gives you full visibility over the flow of personal data through your organisation, why it’s being processed, where it’s held and how it’s transferred, allowing you to easily create accurate data flow maps.