Under the existing Data Protection Directive – which will be replaced by the General Data Protection Regulation (GDPR) on May 25 – companies and organisations are not authorized to retain or continue processing personal data for longer than is necessary. The same will be true when the GDPR comes into force. Furthermore, Data controllers must document time limits on how long personal data will be retained and schedule periodic reviews to check whether personal data can still be retained or else deleted.
Even though the basic requirements for data retention are not changing, the documentation and accountability requirement under GDPR means that the retention policy of organisations and companies needs to be documented. To comply with the GDPR, it makes sense for organisations and companies to audit the data they hold, document a data retention policy taking into account their statutory requirements and regularly review their processing and personal data held in line with their retention policy. The GDPR brings a requirement to demonstrate extra accountability so the organisation or company must be able to demonstrate compliance.
Why does this make sense?
This makes sense as it’s a legal requirement under GDPR the Storage limitation principle is detailed in Article 5 states:
“1. Personal data shall be:
…(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”
Storage limitation therefore is one key GDPR requirement around personal data detailed in the Article 5 of the GDPR. Other principles are detailed in Article 5, and in summary are, lawful fair and transparent processing, purpose limitation, data minimisation, data accuracy, keeping data safe and secure. The Controller needs to be able to demonstrate compliance with these.
Subject Access Requests
As was the case under the prior directive, once the GDPR is in place individuals will be able to request copies of all the personal data related to them that is processed by an organization. This is known as a subject access request (SAR). In turn, organisations are legally obliged to respond to each request within one month. The GDPR also institutes an individual’s “right to be forgotten” – to have their data deleted from a group’s systems, this is not an absolute right as organisations may have statutory obligations or other exceptions to retain certain types of personal data.
Where companies have not audited their data and do not have systems in place to allow efficient searching, it may take an enormous amount of time to find the data and respond to every request. This will mean employees are not performing their other tasks, which would be very inefficient and costly for the group. Auditing, cataloging, and categorizing data will help companies to quickly find data should it be needed, either for their own processing purposes or to fulfill SARs and deletion requests. Periodic reviews of data and regular deletions will ensure data retention and management is streamlined. The less data that is held, the less time it takes to process SARs, and the lower the costs of retaining and sifting through data.
How long data should be kept?
There are statutory requirements around personal data retention and these should be a starting point in the structuring of a retention policy. Industry standards may also assist in creating a retention period for certain categories of personal data, and it would be valuable to construct such a policy by engaging and perhaps challenging company leads in various departments. In summary, personal data should only be processed for as long as is necessary for processing, in accordance with the original purpose for which the data was collected and as long as there is a legal basis for the processing . For instance, data should no longer be processed if a contract has ended, or if an individual has withdrawn consent or where there is no other legal basis or justification to retain the data. Exceptions may include where employment laws allow for certain data to be retained by an employer or data needed for the execution of public services.
Companies and organisations should bear in mind the other principles detailed in the Article 5, of lawful fair and transparent processing, purpose limitation, data minimisation, accuracy and keeping data safe and secure. For example, data minimisation would mean even where the company or organisation has a legal basis to retain personal data they should only retain what is necessary.
Often companies and organisations may have a ‘keep everything, just in case we need it later’ it’s this mindset that the GDPR challenges with the data subject rights as central.
Data Retention Policies are Compulsory
Having and adhering to a data retention policy is a legal requirement under GDPR and it must be a policy that is part of an ongoing operational review with departments of companies and organisations. The best data retention policies would be those created taking account of the statutory requirements for data retention,having the Data subject as central to the data retention policy and those retention policies which are adhered to by all departments of the company or organisation. Companies and Organisations should prepare for the GDPR by closely examining the data they are processing, reviewing and documenting their retention periods, and deleting data appropriately in line with the retention policy on an ongoing basis.