Search

How can we help?

Icon

Key considerations for data retention policies

In the ever-evolving landscape of data protection regulations, data retention stands as a crucial aspect of compliance and risk management for organisations across industries. As businesses accumulate vast amounts of data, understanding how long to retain this data becomes paramount, not only to meet legal requirements but also to mitigate potential liabilities and optimise operational efficiency.

What is data retention?

Data retention refers to the practice of storing data for a specific period, guided by legal, operational and regulatory considerations. While the principles of data minimisation advocate for limiting the collection and storage of personal data, retaining certain information is often necessary for various purposes.

Why would an organisation retain people’s personal data?

Compliance: the UK GDPR and other laws may require organisations to retain data for specific periods for the purpose for which it was collected. For example, HMRC requires businesses to keep financial records in the case of a tax audit.

Litigation and resolving disputes: data retention plays an important role in legal proceedings, as organisations may need to produce relevant information as evidence.

Business necessity: retaining certain data is essential for business operations, such as historical records for analysis, and customer service complaints.

Key considerations for data retention policies

Effective data retention requires a comprehensive understanding of regulatory requirements, industry standards, and organisational needs. Some key considerations are:

1. Data classification

A data retention policy might include what type of data is collected, why it is collected, and where it is stored. Not all personal data is equal. Classifying data based on its sensitivity, importance, and regulatory requirements enables organisations to tailor retention periods and security measures accordingly. The UK GDPR singles out some types of personal data as likely to be more sensitive, and gives them extra protection. These are known as special categories of personal data’, and they include ethnic origin, religious beliefs, political opinions, trade union membership, genetic data, biometric data, health data, sex and sexual orientation data.

2. Retention periods

Organisations should be clear on how long they will keep different types of personal data and their reasons for storing the data to begin with. The ICO allows organisations to store personal data indefinitely if they are holding it for public interest reasons. Organisations must not keep personal data for longer than it is needed.

3. Access controls

Only authorised personnel, such as data administrators or designated compliance officers, should have access to personal data stored, while other employees may have access to non-sensitive operational data relevant to their duties. A data retention policy should state who has access to stored personal data.

4. Transparency and accountability

Organisations should communicate their data retention policies clearly to employees, customers, and any affected third parties. Demonstrating accountability instils trust and confidence in the organisation’s commitment to privacy and compliance.

Data retention refers to the practice of storing data for a specific period, guided by legal, operational and regulatory considerations.

Other considerations

Anonymisation and pseudonymisation

The requirements of the UK GDPR and Data Protection Act 2018 apply to organisations that process personal data, which includes information about an identified or identifiable natural person. Truly anonymous data would not therefore fall into the category of personal data. If it is possible to anonymise personal data, this should be considered by organisations as it can be a powerful strategy to enhance privacy protection and compliance. By transforming personal data into anonymised or pseudonymised formats, organisations can mitigate privacy risks associated with long-term data retention.

Employee training and awareness

Educate employees about the importance of data retention, security protocols and compliance requirements. Provide training on data handling and best practices, and empower employees to identify and report potential security risks of compliance violation.

 

If your organisation needs help drafting a data retention policy or employee training on data protection requirements, contact our Data Protection team here.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

About this article

Read, listen and watch our latest insights

art
  • 04 November 2024
  • Privacy and Data Protection

FAQs – Data Subject Access Requests

Any individual who may be identified from any form of document, whether directly or indirectly, is a data subject.

art
  • 29 October 2024
  • Privacy and Data Protection

The ICO’s 2024-2025 priorities for protecting children’s personal information online

The Information Commissioner Officer (the “ICO”) has set out its 2024-2025 priorities for protecting children’s personal information online.

art
  • 12 September 2024
  • Privacy and Data Protection

2024 in review: tracking key data protection developments

As we approach the final quarter of 2024, it’s an opportune moment to revisit the data protection trends and developments that were anticipated at the end of 2023. Now, let’s see how those predictions have played out.

art
  • 02 September 2024
  • Employment

Social Media – how private is your personal data

Nowadays most people have at least one social media account. Whether it’s Facebook or TikTok, X, or LinkedIn, most adults have an online presence.

art
  • 29 August 2024
  • Privacy and Data Protection

What a controller or a processor needs to know…in a nutshell

Data processing agreements are a common feature of contracts for the supply of services, for example often featuring as self-contained schedules to master services agreements.

Pub
  • 20 August 2024
  • Privacy and Data Protection

Data Protection unlocked for HR: How to ensure compliance?

In the second episode of the ‘Data Protection Unlocked for HR’ podcast series, Harry Berryman and Shauna Jones, members of the Clarkslegal data protection team, share invaluable insights on how HR can ensure compliance, safeguard employee data, and maintain privacy standards.