Depending on the size and data protection maturity of your organisation, retention periods may be agreed on paper but not yet fully implemented. In this article, we will look at the benefits, potential pitfalls and solutions in the process of integrating and embedding effective data retention policies and procedures.
In accordance with the principle of transparency, controllers must make available information on retention periods to the data subject. Because of this, it is critical to ensure that data retention policies are appropriate to support the organisation’s key activities and reflect accurately what is held and for how long.
What are the benefits of implementing a Data Retention Policy?
Although it may seem like a daunting activity, a well-designed process using a risk-based approach can contribute significantly to good data governance practice. These benefits include:
- Better data ownership practices and oversight
- Reduced costs for electronic and manual storage
- Preventing regulatory action such as fines or investigations
- Reduced search and retrieval time for records
Trilateral Research’s compliance support services can support the development and implementation of a data retention policy.
What are the Key Considerations When Developing Data Retention Policies?
In general, when developing data retention processes, the first key elements to consider are the following:
- Do we need to hold it in the first place?
- What is the purpose of retaining the data?
- What is the shortest yet practical retention period?
- Can retention periods be automated?
- Is the process for manual deletion designed to ensure timely deletion?
- Have we identified all record types, including those held in offsite storage?
- Do any records fall under any applicable exemptions from GDPR?
- Are any records being held indefinitely without a valid and documented justification?
- Have we updated our supplier contracts and directly instructed them to delete, destroy or return personal data within specific timeframes?
Things to Consider During the Development Process
However, once the relevant policies have been established to govern the data retention process, the rollout and potential impacts must be considered, such as:
- Who will be responsible for enforcing and overseeing the implementation?
- How can the process be engineered to prevent mistakes?
- Do we have checks in place to prevent data loss and accidental deletion?
Many of the pitfalls of data retention can be avoided by planning how the process will work in practice, particularly at first ensuring there are sufficient safety nets to prevent loss of data and to make sure adequate training is provided.
Pitfall 1. Accidental deletion or destruction of records
- Especially when rolling out new data retention schedules, ensure that there is an approval process to check what is being deleted or destroyed. This process should be adapted to take into consideration the risk associated with the data and the scale of the processing activity. It should also consider how sufficient checks can be developed for a process that involves high and low volumes of data.
- Check-in with a DPO to determine there are any relevant legal obligations, guidelines or supplemental legislation that may inform certain retention schedules such as national archiving acts and sector-specific retention requirements.
Pitfall 2. Incorrectly categorised records
Ensure that all exemptions or special considerations have been taken into account before determining retention schedules, including:
- Whether a record must be retained for archiving, and;
- Whether the record is of public, journalistic or academic interest.
- Ensure that you have correctly identified which records must be kept for pension purposes and which do not need to be kept for the lifetime of the pension scheme.
- Trial run the application of the policy to identify any existing gaps or provide additional clarifications where confusion arises.
- Provide training and allocate at least one person from each team to be responsible for checks and clarifications.
Pitfall 3. Incorrectly interpreted retention periods
- The trigger of a retention period, such as the end date of a contract or the creation of a document can often be incorrectly interpreted or miscalculated. Training, oversight and quality check processes can help mitigate this issue.
Pitfall 4. Lack of allocation of responsibility
- Identify and document the process or record owner and make sure that their responsibilities are clearly communicated.
- Conduct checks and audits to identify gaps in ongoing upkeep of records.
Essentially, the key elements to improving your deletion and destruction processes lie within creating a bespoke set of processes that not only comply with the law but also create safety nets to prevent common issues that may arise.
If you would like to discuss how best to develop your data retention strategies please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.