The General Data Protection Regulation (GDPR) has been in force for over four years, and many are now well aware of the seven core principles of the GDPR. One of these which is often overlooked is storage limitation, instructing us that data must not be kept for longer than is necessary. For many, depending on the size and data protection compliance maturity of your organisation, you may already have a solid Data Retention Schedule in operation. For others, there is still much work to be done. In this article we will explain the benefits a good retention schedule can provide and reveal how storage limitation practices can lower certain risks.
When you hear people talk about storage limitation, you will more often than not hear them mention the Data Retention Schedule. In accordance with the principle of transparency, controllers must inform the data subject about their retention periods, and these are often recorded within a specific Data Retention Schedule. This is also an essential document which provides staff with guidance on the duration of the storage for each record in the organisation.
Below, we outline the steps required to build a well-developed Data Retention Schedule, however, first, it is worth outlining the many benefits to implementing one. A well-designed process using a risk-based approach can contribute significantly to good data governance practice. Additional benefits include;
- Compliance – prevents regulatory action such as fines or investigations
- Reduced Costs – policies for data retention and disposal can reduce storage costs
- Cleaner, more accessible data – reduced search and retrieval time for records especially in the event of a Data Access Request or Legal case
- Improved disaster recovery – provisions for backup and recovery can aid in disaster recovery.
- Protection of Documents – both physical and electronic documents are less likely to be damaged or lost while managed efficiently under a Data Retention Schedule.
- Reduce Data Breaches – less and better managed data means less data breaches or less harmful breaches
- Declutter/ Easier to locate – removal of unnecessary records declutters both the physical and electronic storage areas and leaves the necessary data easier to locate
Prior to developing your organisation’s Data Retention Schedule, there are several core considerations you should make. Data is often used across multiple teams, or there are different data needs in different teams, your first step is ensuring you have input from all stakeholders. Ensure that there is at least one representative from each team contributing to your Data Retention Schedule. Additionally, you must take into consideration the various types of records you hold – different types of data serve different purposes and should be held for different periods. In order to understand and determine the retention periods for each type of record, you will need to consider why you are retaining the data. Is it because you have to comply with a particular legislative requirement? Do you need to retain to defend a legal case? Or is it simply for business needs?
When it comes time to develop your Data Retention Policy, key considerations and steps to follow are;
- Gather a team consisting of a representative from each department processing personal data.
- Sort your data based on your priorities, asking yourself questions such as;
- Have we identified all the data including data stored offsite?
- Do we need to retain the data at all?
- What is the purpose of retaining the data?
- What is the shortest, yet most practical retention period?
- Establish which regulations govern the data and sort the data and its retention periods according to these rules.
- Develop your Data Retention Schedule based on the above considerations. A table is a good way to display the retention information you need to communicate. Ensure you specify how long the data should be kept and whether it should be archived or deleted at the end of that period. A sound Data Retention Schedule should communicate the following;
- Record Type
- File Examples
- Trigger e.g. the end of the current financial year/ the publication date of a document.
- Retention Period
- Rationale e.g., legislation or Business need
- Action to be taken at the end of the retention period
- Create a set of Standard Operating Procedures (SOP’s) around data retention, archiving and destruction for employees to follow.
- Choose a team of employees, ideally representing each department, to manage the retention process.
- Communicate your Data Retention Schedule to all employees and ensure they are appropriately trained to keep the data compliant.
- Remember that the Data Retention Schedule will evolve over time due to changes in legislation and of course your business needs. Consider it a live document and review it regularly.
There are plenty of pitfalls that can be encountered with any Data Retention Schedule such as;
- Accidental deletion or destruction of records
- Incorrectly categorised records
- Incorrectly interpreted retention periods
- Lack of allocation of responsibility
These can all be reduced or eliminated completely by ensuring you communicate a clear and concise Data Retention Schedule to employees and provide adequate training.
Overall, it is clear that a solid Data Retention Schedule is more than a tool which is nice to have, it is essential in order to be compliant with regulation, avoid legal risks and ensure a smooth workflow.
Trilateral’s Data Governance and Cyber Risk Team has extensive experience supporting organisations undertaking complex projects to comply with their data protection obligations. We offer a range of data governance services, including compliance support and advice and practical guidance surrounding the development of a Data Retention Schedule. Please feel free to contact our advisors, who would be more than happy to help.
