The GDPR date of May 25th May 2018 is rapidly getting and closer and now it’s vitally important that your processes relating to the storage of personal data are reviewing to ensure they are compliant with the new legislation.
Storing personal data for an indefinite amount of time is not only reckless it exposes you to the risk of being prosecuted because under the GDPR unless there is a legal basis for holding onto data then it must be destroyed.
If you don’t have a data retention policy then now is the time to create one. Taking stock of all personal data that is stored within you systems, the reason why it’s there and how long it lives for will help working towards being compliant with the GDPR.
What is a data retention policy?
A data retention policy is a written set of guidelines relating to the length of time personal data is stored for.
Decision on the length of time to store data generally derive from internal processing requirements but there may also be legal requirements to take into consideration.
Why is a data retention policy important?
Storing data indefinitely is not a good thing to do. Not only is it likely for the data to become inaccurate after it’s been stored for a long period of time, but it poses a larger security risk for the individuals concerned if your systems were ever hacked or breached.
A data retention policy helps reduce the risk of losing sensitive personal information that could potentially cause harm to the people involved.
For example, you have a customer list that dates back 10 years. This list has sensitive information such as their home address, email and phone number. If this list is compromised, a number of these people could suffer from issues such as identity fraud, potentially costing them money or various other issues. You could try to inform all of these customers of the breach, but someone who hasn’t used your service in the last 9 may have a different email or phone number. This means that many of these customers may not know that their data has been compromised.
Now imagine that the same scenario happened, but you’ve anonymised all customer data for clients that haven’t used your service within the last year. The hacker gets the customer list, but only a subset of your customer base is at risk. You can quickly inform this smaller group of customers that there has been a breach and their data has been compromised, allowing them to take the necessary measures to prevent any further problems.
How do I create a data retention policy?
Firstly, you’ll want to assess what data you currently store. Make a list of all the personal data types that you handle.
You’ll also want to look at where you hold this data. Places such as servers, databases, emails, company computers and even backups need to be noted down.
After you’ve compiled your list of data types and storage locations, you will want to look at defining a storage period for each type of data. This will vary from business to business depending on your company’s needs. For example, you may need to store someone’s information for at least 2 years due to a warranty that you provide on a product you’ve sold them. After this 2-year period, this data is no longer necessary and it would be a reasonable time to delete it. Go through this process for all of the personal data that you store and note down the data retention periods in your policy.
So now you know what data you store, where you store it and for how long it should be stored … what’s the next step?
Implementation of the policy.
It’s a tedious task to check each day for data that has passed its retention period, even more so if that data needs to be anonymised instead of just deleted. It would be beneficial, if budget allows, to add these data retention rules to your systems and have the computer take care of the hard work for you. Then all you’d need to do is ensure that these processes are working correctly and the data is actually being deleted/anonymised.
The final step is to make this policy clear to the people that you collect personal data from. The GDPR recommends that you add this information into your privacy policy. It doesn’t have to display your whole internal data retention policy, it may only be a summary, but the customer needs to be able to find and understand what is being done with their personal data.
Don’t wait
If reviewing your data retention policy isn’t something you’ve already done then make a start today.
Every business needs a clearly defined data retention policy that can easily be followed in order to offer protection against legal challenges and to provide your clients with piece of mind when they entrust you with when storing their personal data.