Companies that are still struggling to come to terms with GDPR’s rules on data retention have been given a helping hand with the publication of a new set of guidance from the Data Protection Network, the independent organisation set up by privacy professionals.
The Data Retention Guidance is designed to fill a much-needed gap in the Information Commissioner’s Office’s official advice, and aims to demystify compliance by providing a clear step by step framework.
GDPR - and the UK Data Protection Act 2018 - state that “personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed".
However, there is no set time limits and each industry has its own data retention needs.
HMRC, for instance, stipulates that companies should keep employees’ information for three years from the end of the tax year they relate to. For financial records, the Financial Conduct Authority handbook states different retention requirements, depending on the type of data that is held, and this could be anywhere between three to ten years. Meanwhile, for the marketing industry, many believe data should be repermissioned every six to 12 months.
The DPN guidance been written by specialists from a broad range of organisations and sectors, and provides templates for different categories of data such as employee, marketing, and insurance records.
Case studies show the approach taken by organisations in the travel, charity and construction sectors.
DPN Data Retention Working Group chair Robert Bond, a partner at Bristows LLP, said: "The DPN has worked hard to publish a practical guide to a complex and evolving topic. It provides a set of tools to help with transparency and accountability in data retention.”
Matthew Kay, data protection officer EMEA at Thomson Reuters, added: “The DPN has continued to grow since its legitimate interest guidance and now an increased spectrum of industries have come together to produce a pragmatic toolset. Once again I’ve been delighted to play a role in this helpful steer for organisations handling the challenges of data retention."
The Data Retention Guidance is published here>