Data Retention Policies under GDPR

As of this Friday, May 25, the General Data Protection Regulation comes into effect in all European Union (EU) states. Many countries who are not members of the EU remained unconcerned about the requirements of the GDPR.

However, if your company or organization does business with any clients or employees who are EU citizens then the GDPR does indeed affect your business. One of the concerns of businesses and organizations that must comply with these regulations is data retention policy.

What is Data Retention?

Data retention involves decisions about what to keep and what to destroy. In their policies, businesses must give thought to when and in what manner documents will be destroyed and why and how documents will be retained.

Every enterprise that has dealings with or employs EU citizens, anywhere in the world, must be in compliance with GDPR guidelines. These regulations are not just for EU states. The company’s retention policy must be clear, unambiguous, well thought out and wide ranging. Key decisions will be made based on this document. Thus, it must be well crafted and wide ranging enough to cover all present and future data retention decisions.

How are Decisions about what to Retain Made?

Under the new GDPR legislation, a minimum of data retention is advocated. Article 38 states “…the period for which the personal data are stored is limited to a strict minimum…In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review…

This suggests that each company affected by GDPR must rethink how much is stored and for how long. Emphasis seems to be on storing only what you need and only for the original purpose of its collection. Collect only as much data as you need and store it only as long as it is needed for the described task.

In what Form is Data Retained?

The form of retention is another area GDPR guidelines are specific about. The data should be retained in a form and manner that does not identify the data subjects and if it must identify them it does so only as long as is required for the stated task.

How long and why is Data Retained?

Article 39 emphasizes minimization of data and storage. Businesses’ Data Controllers need to re-examine the company’s data retention policies with an eye to how long data should be retained. Crucial to this question is why that data is being kept. If it serves no purpose as outlined in its original collection, then there is no viable reason to retain it.

If data is being retained for purposes not part of the reason for its original collection, then the company might well be subject to GDPR-related fines.

Is there ever a Reason to Retain Data?

There are special circumstances in which companies may be justified in retaining data, even if the data subject requests that it not be retained. Perhaps the data might become valuable or needed in the future.

Three major reasons for keeping data as outlined by GDPR are:

  1. Public interest for example: matters of health or safety
  2. Scientific or historical research purposes
  3. Statistical purposes

Data Becomes Dated

Not all data has the same shelf life. Different types of personal data have varying retention periods. Its original purpose and how fast the data becomes dated are two considerations in data retention. For example: credit card data requires special security and retention methods. Health records may become dated quickly and are something that might be used and not retained.

Where to Store Personal Data Files

Whether your business stores data in-house or outsources storage space, the security of these files must be a paramount concern. Some hard copies will not be able to be stored digitally. Whether the records are digital or hard copies, secure archiving of retained materials is critical.

The more records your company opts to retain, the greater the physical space and the security required. This becomes a budget concern. Who gets access and by what means also becomes a concern.

Implementing a new, solid retention policy will protect your company from the dangers of hacking. A sound retention policy will ensure that your organization does not lose valuable documents. It also protects the data of those whose personal information you have collected and retained.

Another outcome of crafting a retention policy is a rethinking of what data should actually be kept and what data is just filling space. Your retained files become more meaningful. Data protection has always been a concern. GDPR is simply tightening decisions about what is retained, why, and how it is safeguarded.