LawBite’s Countdown Checklist for GDPR | Part Five

It’s the penultimate week before all the talk about GDPR becomes a reality. Last week I covered data accuracy and this week I’m covering the last of the information standards - it’s time to take a look at principle 5 of the GDPR. Principle 5: The Storage Limitation Principle GDPR states that personal data should be ‘kept in a form which identifies data subjects for no longer than is necessary for the purposes for which it is processed’. Put simply, you need to think about why you are holding data (your purpose) and how long you reasonably need to hang on to the data. It’s important to ensure that personal data is deleted or disposed of when it is no longer required, reducing the risk of it becoming out of date or inaccurate. Compliance with storage limitation lends itself to compliance with the other principles governing information standards; data minimisation (principle 3) and accuracy (principle 4). GDPR introduces certain exceptions to this rule however e.g. longer retention periods will be acceptable where personal data is being processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to appropriate technical and organisational measures being in place in order to safeguard the rights and freedoms of the individuals affected. So, how do you go about assessing what is a reasonable length of time to store personal data? The legislation does not set out any specific minimum or maximum periods so as an organisation you should take a reasoned approach and look at the purpose or purposes for which the data is held, the current and future value of data, the costs associated with retaining it and how easily it can be kept up to date and accurate when determining a retention period. Remember that different retention periods may be appropriate for different types of information. You should document these periods in a retention policy and make sure you also cover deletion schedules in your privacy policy. None of this is materially different to the position under the existing Data Protection Act 1998 however GDPR is a great opportunity to revisit and revise data retention policies. GDPR introduces a higher level of accountability so it requires organisations of all shapes and sizes to take their data handling responsibilities more seriously. Most organisations will already be following the basic principles of good data handling but may not have gone so far as to think in detail about (and document) why they hold data for certain periods or may even be holding data indefinitely without any justifiable basis to do so. The benefits of having a well written and documented retention policy are two fold: firstly, it is important that staff handling personal data know what is expected of them and the standards they are required to meet and secondly (in the event of any complaint or investigation) it provides something to produce to the ICO. It doesn’t need to be a complicated process – as we all know by now GDPR simply wants us to be clear and concise – so stick to the facts of what you are doing, and why! Coming up next week: Principle 6 – The Integrity and Confidentiality Principle….see you deadline week To consult with the Lawbrief lawyer Jessica, please submit an enquiry for a free 15-minute consultation or call the dedicated GDPR Hotline 0845 241 1843. For clients who need last minute help with compliance there is a special GDPR Rescue Package. As well as 12 GDPR compliant templates the package contains a 30 minute GDPR audit consultation and 2 hours of specific GDPR legal advice for only £495 + VAT (versus £675 + VAT). To find out more please click here.
 
          Journey further... 
LawBite’s Countdown Checklist for GDPR | Part One LawBite's Countdown Checklist for GDPR | Part Two LawBite's Countdown Checklist for GDPR | Part Three LawBite's Countdown Checklist for GDPR | Part Four How LawBite works LawBite GDPR Rescue Package