In the ever-evolving landscape of data protection regulations, data retention stands as a crucial aspect of compliance and risk management for organisations across industries. As businesses accumulate vast amounts of data, understanding how long to retain this data becomes paramount, not only to meet legal requirements but also to mitigate potential liabilities and optimise operational efficiency.
What is data retention?
Data retention refers to the practice of storing data for a specific period, guided by legal, operational and regulatory considerations. While the principles of data minimisation advocate for limiting the collection and storage of personal data, retaining certain information is often necessary for various purposes.
Why would an organisation retain people’s personal data?
Compliance: the UK GDPR and other laws may require organisations to retain data for specific periods for the purpose for which it was collected. For example, HMRC requires businesses to keep financial records in the case of a tax audit.
Litigation and resolving disputes: data retention plays an important role in legal proceedings, as organisations may need to produce relevant information as evidence.
Business necessity: retaining certain data is essential for business operations, such as historical records for analysis, and customer service complaints.
Key considerations for data retention policies
Effective data retention requires a comprehensive understanding of regulatory requirements, industry standards, and organisational needs. Some key considerations are:
1. Data classification
A data retention policy might include what type of data is collected, why it is collected, and where it is stored. Not all personal data is equal. Classifying data based on its sensitivity, importance, and regulatory requirements enables organisations to tailor retention periods and security measures accordingly. The UK GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection. These are known as special categories of personal data’, and they include ethnic origin, religious beliefs, political opinions, trade union membership, genetic data, biometric data, health data, sex and sexual orientation data.
2. Retention periods
Organisations should be clear on how long they will keep different types of personal data and their reasons for storing the data to begin with. The ICO allows organisations to store personal data indefinitely if they are holding it for public interest reasons. Organisations must not keep personal data for longer than it is needed.
3. Access controls
Only authorised personnel, such as data administrators or designated compliance officers, should have access to personal data stored, while other employees may have access to non-sensitive operational data relevant to their duties. A data retention policy should state who has access to stored personal data.
4. Transparency and accountability
Organisations should communicate their data retention policies clearly to employees, customers, and any affected third parties. Demonstrating accountability instils trust and confidence in the organisation’s commitment to privacy and compliance.
Other considerations
Anonymisation and pseudonymisation
The requirements of the UK GDPR and Data Protection Act 2018 apply to organisations that process personal data, which includes information about an identified or identifiable natural person. Truly anonymous data would not therefore fall into the category of personal data. If it is possible to anonymise personal data, this should be considered by organisations as it can be a powerful strategy to enhance privacy protection and compliance. By transforming personal data into anonymised or pseudonymised formats, organisations can mitigate privacy risks associated with long-term data retention.
Employee training and awareness
Educate employees about the importance of data retention, security protocols and compliance requirements. Provide training on data handling and best practices, and empower employees to identify and report potential security risks of compliance violation.
If your organisation needs help drafting a data retention policy or employee training on data protection requirements, contact our Data Protection team here.