The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018, and it tightens up the rules on how long you can keep personal data. We’ve put together this quick guide to help you stay on top of the new regulations on data retention.
At the heart of the GDPR is the principle that you should only collect the data you need, and only store it for as long as you need it. These points are enshrined in Article 5 of the GDPR, which states that data must be ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes’; ‘adequate, relevant and limited to what is necessary’ and ‘kept… for no longer than is necessary for the purposes’.
There are some situations when personal data can be stored for longer periods, such as academic research or creating archives in the public interest. But they’re probably not relevant to most situations that businesses will face.
Here are seven key points to think about when considering data retention:
- Set a strict minimum on how long personal data can be stored, and also set time limits for deleting records, or at least reviewing whether you still need them.
- Bear in mind that you may need to keep different types of data for different periods. In each case, you’ll need to consider intended use, legal requirements, industry practices, the risks of keeping the data and how easy it is to keep it up to date.
- Consider whether you could anonymise any data so you could keep it for longer – if you need to, that is.
- Tell people how long you’re going to keep their data – or, failing that, how you’ll decide how long to keep it.
- Take special care with ‘special categories’ such as data on race, opinions, beliefs, health, sexual orientation and so on. It’s particularly important that these types of data are only kept for as long as necessary and then promptly destroyed.
- Securely dispose of data once you no longer need it, before it goes out of date. Make plans for how you’ll make sure this happens.
- Decide who will do what in terms of collecting, storing, securing, updating and disposing of data, and make sure everyone knows their responsibilities. Create a data retention policy and share it around your organisation.
For paper-based records, a regular document destruction service can help you stay on top of your compliance with GDPR. At Shred Station, we can offer a scheduled service carried out by security-vetted staff, with free lockable containers supplied. We also give you a certificate of destruction so you have a full audit trail.