DATA RETENTION POLICY NOTES
One of the core principles of the GDPR is the storage limitation principle. In essence, this principle means that you must not keep personal data for any longer than you need it. Article 5(1)(e) of the GDPR states that:
1. Personal data shall be…
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) [which addresses safeguards] subject to implementation of the appropriate technical and organizational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
As will be explained below, this does not necessarily mean that the data in question must be deleted or destroyed in its entirety. The key phrase is “kept in a form which permits identification of data subjects”, meaning that it can be possible to keep data for longer if it is anonymized or properly pseudonymized.
In the context of a SME, it is unlikely that personal data will be retained on the grounds of public interest archiving, scientific or historical research, or statistical purposes. Consequently, these guidance notes do not cover this aspect of data retention in detail.
What will be most important from a business perspective is ensuring that you keep track of all personal data flowing in and out of your organization, such as customer information and personal data relating to employees; determining how long you can or should keep this data (certain retention periods are set by law, although not by the GDPR or Data Protection Act); reviewing retention regularly; and deleting, disposing of, or otherwise rendering data non-personal in a timely manner. As will be seen, documentation is particularly important and can play an invaluable role in keeping track.
It must also be kept in mind that data retention issues may extend beyond your own organization if you share personal data with a third party. In such cases, agreeing suitable retention periods will be important, although they may not necessarily be the same if each organization holding the personal data in question is using it in a different manner.
Data Subject Rights
When considering data retention, in addition to your own obligations to abide by the principles of the GPDR, as detailed below, the rights of the individual data subject may come into play and must always be respected and complied with.
Irrespective of your data retention schedules, always remember that if an individual exercises the right to erasure, also known as the ‘right to be forgotten’, you must comply with this.
Similarly, data subjects wishing to exercise the right of access (by means of a ‘data subject access request’) must be provided with the requisite information concerning the personal data that you hold about them, whether it is within its retention period or not.
Part 1. Purpose and Lawful Basis
Before you can collect, hold, or process any personal data at all, you must identify a proper lawful basis for doing so. You may, for example, use personal data:
With the consent of individual data subjects. You must explain the specific purpose for which you wish to use the personal data when obtaining consent;
In order to enter into a contract with an individual data subject, or to take steps at the request of the individual prior to entering into a contract;
In order to fulfil a legal obligation (this does not include contractual obligations - see above);
To protect someone’s vital interests (e.g. protecting their life);
To perform a task with a clear basis in law that is in the public interest or in the exercise of official functions;
In a manner consistent with your legitimate interests or those of a third party, provided that the individual’s own interests or fundamental rights and freedoms do not override them (this basis is the most flexible but must be chosen with care).
Note that if you are collecting, holding and/or processing special category personal data, additional criteria must be satisfied.
The lawful basis or bases upon which you rely to collect, hold, and process personal data will be closely linked to the purpose or purposes for which you use it. These purposes will, in turn, be linked to data retention as you may only hold personal data for as long as the purpose(s) actually require it. Holding onto personal data ‘just in case’ is not a valid reason to keep it longer than the original purposes require.
Fairness should also be considered at this stage, taking into account the impact that your use of personal data will have upon the individuals whose data is being used, ensuring that you will only use the data in ways in which those individuals would expect (or being able to explain and provide a justification if not), and ensuring that you do not deceive or mislead individuals when you collect their personal data.
Transparency is also essential here, and indeed should be considered carefully in all areas of personal data usage. It is important that you comply with the right to be informed and that individual data subjects are told about (among other things) your collection, holding, and processing of their personal data, including your lawful basis or bases for using it, your purpose or purposes, and - particularly relevant in the context of these Guidance Notes - how long you will keep it.
When deciding what personal data you will collect and why, careful consideration should be given to the purpose or purposes for which that data is collected. This is, of course, closely linked to your lawful basis for processing. As always, the chosen purpose or purposes should be documented, as well as included in the privacy information that you provide to individual data subjects.
It is also important to regularly review your use of personal data in light of your chosen purpose or purposes to ensure that you are still using that personal data for the right reasons. If you wish to use personal data for a new purpose, you must first determine whether or not that new purpose is compatible with the original purpose(s); if it is, you may proceed, but if it is not, you will either need specific consent or you must identify a specific legal provision which allows or requires the new processing in the public interest. The latter ground is clearly less likely to apply in the SME context.
Part 2. Data Minimization
A related principle of the GDPR is that of data minimization. You must ensure that any personal data collected, held, and processed is:
Adequate in that it is sufficient to properly fulfil the purpose or purposes for which you have collected it;
Relevant in that it has a logical and rational connection to that/those purpose or purposes; and
Limited to what is necessary for that/those purpose or purposes.
It is important, therefore, to consider carefully what data you will need at the very beginning and to be clear about why you need it. As with all aspects of data protection compliance, it is important to record these decisions so that you can demonstrate compliance and so that you can always come back and check your reasoning. Projects tend to evolve as they progress, and great care must be taken to ensure that you do not end up with more personal data than you ultimately need.
In particular, you should periodically review the personal data that you hold in order to ensure that you still need it. This connects directly to the issue of data retention. Setting a retention period in stone at the early stages of project planning will rarely be sufficient. Just as your project involving personal data is likely to be dynamic, so too should your approach to data retention be.
Part 3. Keeping Data Accurate and Up-to-Date
The requirement to keep personal data accurate is another core principle of the GDPR which ties in closely with data retention. It is important to take all reasonable steps to make sure that the personal data you hold is correct and is not misleading. In some cases, this will mean actively keeping data up-to-date.
Where any personal data is inaccurate (if, for example, it is out-of-date), you should take steps quickly to correct it, erase it, or otherwise dispose of it. It is also important to remember the individual data subject’s right to rectification. Challenges made as to the accuracy of personal data must also be handled with care. As always, document everything.
The longer you keep personal data, the less likely it is to remain accurate. The degree to which the data protection principles enshrined in the GDPR are interlinked means that falling foul of one means you may well fall foul of others. It is, therefore, in your own best interests not to keep personal data for any longer than necessary.
Part 4. Storage Limitation
Thus far, these Guidance Notes have focused more on the lead-up to the issue of data retention. When collecting, holding, and/or processing personal data, you must:
Ensure that you have a lawful basis and that you collect, hold, and process the personal data in a fair and transparent way;
Collect the personal data only for specified, explicit, and legitimate purposes and use that data only for those purposes unless new purposes are compatible or you have another ground such as the consent of the affected data subject(s);
Ensure that the personal data you use is adequate, relevant, and limited to what is actually necessary for your chosen purpose(s);
Keep the personal data in a form which permits the identification of data subjects for no longer than is necessary in light of that/those purpose(s); and
Process the personal data in a manner that ensures appropriate security of the personal data.
It is the fourth point that will be our focus for the remainder of these Guidance Notes.
As noted above, by only keeping personal data for as long as you need it, you are actively reducing the risks associated with using personal data in the first place, particularly those associated with the holding of excessive data, relevancy, and accuracy.
Furthermore, not only do longer retention periods carry an increased risk of non-compliance with data protection law, but they can also hamper efficiency and increase business costs. Both physical and electronic storage risk being taken up unnecessarily, and complying with other data protection obligations such as responding to data subject access requests can become more burdensome, costly, and time-consuming.
The Data Retention Policy
One of the easiest ways to keep track of personal data and the retention and review periods associated with it is to use a Data Retention Policy. In addition to setting out a helpful summary of the key legal requirements relating to data retention, such a policy should document every type of personal data collected, held, and processed by your organization, what you use that data for, the retention periods for that data, any applicable retention review periods, and other key information designed to help you to determine whether or not you should still be holding the data in question.
Guidance from the Information Commissioner’s Office explains that small organizations undertaking low-risk personal data processing may not need a documented data retention policy, however, it remains true that having everything mapped out in one go-to document can make the process more efficient, and reduce the risks associated with holding onto data for too long.
Data Retention Periods
In some cases, the retention periods for certain types of data will be prescribed by law. Particular examples of this include information retained for tax and audit purposes, and other key compliance information. In certain sectors or industries, there may also be agreed standards or guidelines. The Information Commissioner’s Office, for example, has stated that credit reference agencies are allowed to retain consumer credit data for six years. It is important to be aware, however, that codes or guidelines are not necessarily a guarantee of compliance. They provide a useful starting point, but it is still important to consider whether or not you need to hold the personal data in question for as long as you plan to.
In many cases, there are no fixed retention periods, however, and it will be your decision to make since you will know what your purposes are for using the personal data in question better than anyone else.
What is important when determining retention periods for personal data is to be realistic and to be strict. For each type of personal data you are considering, serious thought must be given to the purpose or purposes for which that data is to be collected, held, and processed and, in turn, to the length of time you truly need to use that personal data for that purpose or purposes. You must be able to justify your retention of the personal data and, at the risk of repetition, keeping personal data just in case you find something else to do with in the future is not justifiable and goes against multiple principles of the GDPR. Similarly, if there is only a slim chance that you will use the personal data, you must consider realistically how slim that chance is and opt not to keep the data if it is unlikely to be used.
Deciding how long to keep personal data, or whether to continue keeping personal data if you are reviewing it at a later date, is ultimately a balancing exercise. What you are not expected to do, given the absence of fixed periods in most cases, is to erase or dispose of personal data that you still have a legitimate need for (always in light of the purpose or purposes for which you obtained it). You may, for example, have a relationship with a customer. Clearly, you will retain personal data about that customer during that relationship. Afterwards, however, there may still be a justification for retaining some or all of the data. It can be helpful, for example, to retain enough data to evidence the existence of that relationship and to document its end. You may also need to retain enough data to comply with the customer’s marketing preferences. It is, after all, very difficult not to send marketing to someone if you don’t have personal data about them which documents their wish not to receive any marketing.
It may also be important to retain certain personal data for the conduct of future legal claims. If keeping personal data for such purposes, however, you should ensure that it is only kept for as long as a claim could be brought.
Reviewing Data Retention
As noted above, it is not sufficient simply to decide upon a fixed retention period for personal data at the start and to stick to it unwaveringly. It may be that certain personal data that you hold should be deleted or disposed of earlier than planned or, on the other hand, you may have a legally sound reason to keep it for longer than you expected. Regular reviews are therefore important.
At the very least, the Information Commissioner’s Office recommends that you review your retention of a particular type of personal data at the end of the retention period for that data, however, they also note that it is good practice to review retention at regular intervals before the end of retention periods, particularly where those periods are lengthy or your use of the personal data in question has potentially significant consequences for the individual data subjects concerned.
Not only should your review cover the actual length of your data retention, but it should also refer back to your original purpose or purposes for collecting, holding, and/or processing the personal data. You must carefully evaluate whether you can still legitimately rely upon your original justification.
Part 5. After the Retention Period
Once the retention period for personal data is over, whether that is the pre-planned period or whether a review has determined that it is time to erase or otherwise dispose of personal data earlier than planned, there are various options. Please note that certain options discussed here are included for completeness and will be unnecessarily strong for a small business.
It is important to remember that data is only personal data to the extent that it enables the identification of individual data subjects. Depending upon the nature of the data you hold, therefore, you may not need to get rid of everything. Customer records, for example, may incorporate useful sales statistics and other information. You will need to strip those records of personal information that can identify the individual customers once you no longer have a justification to retain them, but this does not mean that the non-personal data has to go too.
Similarly, some personal data can be anonymized. A related option is pseudonymization; however, it is important to note that the latter option usually still enables identification in some way. Under the GDPR, personal data is still personal data even if it does not directly identify someone if it can be combined with other data to do so.
Deletion or disposal will often be the default choice. When deleting data stored electronically, it will be important to ensure that backups of that data are also deleted.
Anonymizing Personal Data
If you do not wish to data records entirely, anonymization is a viable option. It is important, however, to ensure that the data in question is truly anonymized and cannot be subsequently combined with other data in order to identify the individual data subject to whom it relates.
Two of the primary choices for anonymizing personal data are randomization and generalization. Randomization refers to techniques which essentially remove the link between the data and the individual. Generalization refers to ‘diluting’ the attributes that relate directly to individual data subjects. Aggregation is a form of generalization which provides useful statistics (and could be applied, for example, to sales and marketing data) without identifying (or carrying a great deal of risk of identifying) individual people.
Once data has been anonymized, the original personal data should still be deleted so that no connections can be made to re-identify anyone.
It is important to note that the very act of anonymizing personal data constitutes personal data processing. Consequently, the purpose for which you process the newly-anonymized data must be compatible with the original purpose or purposes for which you acquired the data in the first place unless you have another valid legal basis or have obtained the consent of the affected data subjects.
While anonymization may seem like an easy solution which allows you to retain useful information while disposing of the personal element, it should be undertaken with great care. Data which may, on the face of it, appear to be anonymous may in fact be used to re-identify data subjects. Anonymized data should be tested carefully to minimize such risks and kept under regular review.
Deleting Electronic Data
It is important to keep in mind that simply deleting data will not necessarily remove it from a storage device such as a hard disk. The deletion often occurs only at the software level, but until the physical part of the disk is overwritten with new data, the magnetic storage itself remains unchanged. Even once data has been overwritten, erasing electronic data beyond recovery can be difficult without physically destroying the storage medium, as sophisticated data recovery tools can be used to restore data even where it has been overwritten in some cases. However, unless the personal data is highly sensitive (most likely to a degree that would not affect SMEs), deleting the data in the normal way is likely to be sufficient.
Options for deleting data stored electronically include:
Physical destruction of storage media – this is ideal for removable media such as CD and DVD ROMs, but for devices such as hard drives, this can be an expensive option. Extreme methods include physically grinding hard disks to dust; however, this is likely to be unnecessary for the types of data handled by SMEs.
Secure deletion – rather than simply deleting data, this method involves overwriting the sectors of the disk on which the data was stored with new data. The more ‘passes’ that are made, the more secure the deletion. Typical methods range from a single pass of zeroes, to seven passes of randomized data. It is important to be aware, however, that this method of deletion is not always an option with newer forms of storage such as SSDs and hybrid drives due to the way in which they store data. Many SSDs have their own secure deletion software, and increasingly, there are third-party applications available; however, if full and secure erasure is something you wish to consider, this is a factor to keep in mind when choosing your storage devices.
Other methods include restoring a computer or device to factory settings and/or formatting the drive. It is important to be aware, however, that unless such methods are combined with secure deletion, they will not offer any more security than simply deleting the individual files concerned.
Such methods are important for highly sensitive data, but in most cases, particularly for SMEs, what is realistically important is putting the personal data ‘beyond use’. Guidance from the Information Commissioner’s Office defines ‘beyond use’ as follows:
The ICO will be satisfied that information has been ‘put beyond use’, if not actually deleted, provided that the data controller holding it:
is not able, or will not attempt, to use the personal data to inform any decision in respect of any individual or in a manner that affects the individual in any way;
does not give any other organization access to the personal data;
surrounds the personal data with appropriate technical and organizational security; and
commits to permanent deletion of the information if, or when, this becomes possible.
Clearly, then, the more permanently you can erase data, the better; however, you are not expected to take an angle grinder to your server’s hard drive or microwave your USB sticks. As the Information Commissioner’s Office guidance on deletion clearly states (emphasis added):
If you delete an item to your recycle bin, perform a ‘quick format’ of your hard drive or perform a factory reset of your device, you will be typically deleting data. However, data recovery experts can restore this data. Even with that said, data deletion is generally an adequate method of removing personal data from a device in most situations.’
In short, therefore, selecting the data you wish to delete, deleting it, and emptying your Recycle Bin or Trash, will generally be sufficient, particularly for SMEs handling comparatively low-risk personal data. Nevertheless, if there is any doubt, specialist advice should be sought and there are many specialist service providers who offer secure erasure services at a range of levels.
Disposing of Physical Records
While much information used in business is now stored electronically, paper records still exist, more so in some contexts than others. Despite many predictions of the paperless office over the past few decades, it is yet to become a reality for many.
With so much emphasis on secure electronic storage and subsequent deletion, it can be easy to overlook paper records; however, while these may not be as easily compromised as electronic data, the same rules apply.
Even in cases where your primary form of personal data storage is electronic, it will be important to keep track of printed copies and to ensure that such copies are destroyed safely when their electronic counterparts are deleted. Managing hardcopy personal data should be considered as part of your broader data protection compliance and included in your Data Protection Policy and/or Data Security Policy.
When the retention period is up for a particular data record, any hardcopies of it should be safely disposed of, taking care to avoid any personal details being recognizable after disposal. It is, therefore, logical to assume that simply throwing the paper into the recycling bin will not be sufficient. At the very least, physical records incorporating personal data should be shredded.
When selecting a suitable shredder, it is important to keep in mind that different levels of security are available, some in compliance with European DIN security levels which run from 1 to 6 with 1 being the least secure and 6 being the most. DIN 1, for example, shreds paper into strips a maximum of 12mm wide and will generally only be suitable for home use. At the other end of the scale, DIN 6 shredders will reduce paper to a particle size of 0.8mm v 4mm and are generally used for government and military applications. DIN 2 at a minimum, or DIN 3 shredders are generally more suitable for business use, but specialist advice should be sought if there is any doubt.
Retaining Personal Data for Archiving, Research, or Statistical Purposes
As noted above, in some cases, an exception in data protection law allows you to retain personal data indefinitely if you are holding it exclusively for archiving purposes in the public interest; scientific or historical research purposes; or statistical purposes.
Such data must still be protected with appropriate technical and organizational safeguards including, if appropriate, pseudonymization. It is important to stress that if personal data is retained on any of these grounds, you will not be able to use it subsequently for another purpose.
Part 6. Conclusions
The key to most areas of data protection compliance is keeping track of personal data and your reasons for using it. This is particularly the case when it comes to data retention. Without suitable records and data management in place, it can be all too easy to hold onto personal data for far longer than it is needed. In a vacuum, this would not affect anyone, but the longer data is kept, the more likely it is that it could be compromised, lost, stolen, or even simply be rendered inaccurate by the passage of time.
Setting clear time limits for the retention of personal data and regularly reviewing those time limits is of paramount importance. It is also vital not to fall into the trap of hanging onto data ‘just in case’ it could be used in the future for something else.
A Data Retention Policy which not only itemizes the personal data collected, held, and processed by your business, but also sets out what is to be done with that data when you no longer need it, is a valuable piece of documentation which will be helpful at both the practical level, and in demonstrating compliance with UK data protection law and the all-important principles of the GDPR.