With the imminent arrival of GDPR, thousands of organisations across Europe, small and large, are undoubtedly having a last minute panic - trying to work out what personal data they hold, where they store it, what they should and shouldn’t be doing with it, whether they should in fact be using it and how long they can hold it for.
This last consideration is one that is easy to ignore but is very important if the GDPR is to achieve its aims. Businesses can no longer store boxes full of client files containing personal details in storage cupboards and forget about them, nor can they have spreadsheets full of non-essential, historic customer information lurking on their IT systems.
One of the data protection principles within the GDPR which everyone processing personal data must abide by is that personal data must be:
“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation for the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals.”
The relevant Recital states that:
“Personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Every reasonable step should be taken to ensure that personal data which are inaccurate are rectified or deleted.”
It is therefore very important that data is retained for no longer than necessary for the purpose you retained the information for. The length of time for which it is held for must be judged on a case by case basis and will depend on a number of factors. The ICO has suggested the following factors be considered when determining how long data should be retained:
- Current and future value of the information;
- Costs, risk and liability associated with retaining the information; and
- Ease or difficulty of making sure it remains accurate and up to date.
One important task for all data controllers is therefore to undertake that all important data audit to ensure that they have a grasp on what data they hold so that they can then establish how long they should be holding it for.
Moving forward, organisations should, firstly, create a data management process, identifying individuals within the organisation and allocating the responsibility of reviewing data held on an regular basis to ensure that it is not held for longer than it should be. This will help to meet the data retention requirements of the GDPR, ensure that the data in question does not become inaccurate or out-of-date and lessen the risk of historic data falling into the wrong hands and being used for unauthorised purposes.
Secondly, they should update employment contracts, privacy policies and data protection policies where appropriate, to include information about how long relevant categories of data are held. If legitimate interest is being relied on as a lawful basis of processing, data controller will also have to ensure that they make an assessment to balance their rights in holding data against the rights and freedoms of the data subject.
Depending on the type and volume of data held, the size of the organisation and complexity of processing undertaken, data controllers may consider drafting a separate data retention policy which identifies each type of personal data collected, where and for how long it is retained.
These obligations will prevent the act of holding personal data on a “just-in-case” basis, with no proper basis for believing that it may be required in the future which has over the last few years become common practice. This should enable individuals across the EU to be confident that their personal information is not laying around in old spreadsheets and filing cabinets, removing the risks that this inevitably brings.