My Data Protection Diary: 5 Top Practical Retention Tips!
Welcome Spring and welcome to the new instalment of 'My Data Protection Diary'!
If you're wondering what today's topic is going to be, imagine it as sparkling, informative and clarifying ... because I guess you're ready for the Storage Limitation and Data Retention Schedules you deal with on a regular basis?!?!
If not... grab your cup of tea and enjoy the top 5 tips I asked Kellie to share during my afternoon session with her.
Before sharing our top tips on this topic, let's be clear about what we mean when we use these two terms:
Storage limitation is the principle in GDPR you must comply with - you must decide how long you'll keep data.
The Retention Schedule is the tool that documents how long you keep each set of data as a reference and to support your decisions to destroy or retain data.
The General Data Protection Regulation mentions retention:
Article 5 (1) (e) of the GDPR says:
"1. Personal data must be:
(e) kept in a form that allows the identification of data subjects for a period not exceeding that necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods to the extent that personal data will be processed exclusively for archiving purposes in the public interest, for scientific or historical research or for statistical purposes.
Article 25 of the GDPR says:
Data protection by design and default further requires that ‘the controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data with are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
After this little introduction, Kellie it is now your turn... What are the top 5 essential tips for a Retention Schedule?
K.P.: I love this topic, and I'm ready to define the 5 essential top tips for Retention Schedules:
- Categorise your personal data, understand what type of data you are collecting (e.g., marketing data, human resources information, finance data etc ...). Also define how to categorise your data (e.g., by function, individual type, or country / region etc.)
Determining the type of data you are collecting will help define your ideal retention period.
- Consider your Supply-Chain. As a Data Controller: where you use data processors, you need to make sure there are clear contractual instructions for when the data retention period ends. As a Data Processors: you must make sure that you can implement the retention schedule instructions. You must remember to consider data retention when outsourcing a task to a sub-processor. Be mindful of the impact retention periods have on your supply chain.
- Plan your spring cleaning. Schedule an effective check every year that allows you to make sure that the data you are collecting in your organization is in accordance with the purpose for which you collected it and that it is in line with the retention period.
- Secure data disposal. At the end of the retention period, make sure that the destruction of information is carried out safely. For some types of data, this may mean using external providers, who must be GDPR compliant to ensure that your data is destroyed in a timely and secure manner. Make sure you get a certificate that the destruction has been done in compliance with the requirements of GDPR. Otherwise, the risks to you could be high. Watch our webinar for more information on this topic: https://www.dbxuk.com/webinars-2020/practical-retention
- Make sure your employees are well trained. It is essential that your staff are aware of how data must be processed, what data can be collected and how long it should be kept for. Human error is still among the major causes of data breaches within an organization. Making sure your team are well-trained in managing personal information in relation to their role can greatly reduce the risk of breaching the law. If you need support with your team, look here for training tailored to your team and full of practical advice: https://www.dbxuk.com/training/data-retention-training
G.P.: Thanks Kellie for these useful top tips that will help people focus on issues of data retention within their business.
These 5 top tips should be part of your data protection approach and will help you answer the question "how long can we keep personal data?'
If you have any questions, do not hesitate to contact us, we are here to offer our support to you and your organisation’s approach to data retention.
See you soon, Giulia xx