A Brief Discussion On Data Retention

Sometimes one of the hardest things is letting go… (of personal data). This maxim seemed to resonate with many organisations who keep data indefinitely “because it could be useful someday.'' 

Under the GDPR and previous data protection acts, the approach of holding data forever will not stand up and may very well be illegal. Data retention is a complex and varied area so I will not be able to deal with it in one article but we look at starting your data retention journey on the right note. 

Firstly, the GDPR does not say how long you should keep specific types of data. However, the GDPR’s Article 5 data protection principles are a good place to start.

In short, the principles state you need to process (that includes storing) personal data lawfully, fairly, and transparently. Therefore, if you have no lawful basis for retaining personal data or you are covertly collecting/storing data unbeknownst to the data subject you could be breaking data privacy law. Also note that child protection issues, legal cases or access requests ongoing could prolong your legally permitted retention of data.  

The principles also state you must store data securely and confidentially, limited to the purpose collected for. Therefore, when processing data (this includes storing) it should not be excessive. 

The principles also ask that personal data be stored for only the amount of time for the purpose that you need it. In addition you need to be accountable and that can mean, not only that you know where data is stored through a logical filing system, but you know and can explain where its stored both to staff and data subjects so they are informed, know their rights, responsibilities and why you would be retaining it.

Article 30 of the GDPR asks for organisations of a certain size to maintain a register of processing activities. In my opinion this is a good approach, regardless of the size of your organisation. The creation and maintaining of a register of processing activities (also known as a data flow map) will allow you (as data controller) to know what you have, why you have it, under what legal basis, what security is in place and for how long you keep it amongst other things. 

This data flow map can be the foundation of an organisation’s approach to recording the exact documents and the legal basis or purpose which will in turn determine the length of retention. In some organisations, the retention schedule is the register. I would recommend having both a data flow map to record the why and how of the processing of personal data as per the article 30 requirements and have a separate granular retention schedule document that is very granular on the exact document types that contain personal data, how long you keep them under what basis, exemptions and disposal methods. 

With different data comes different responsibilities. For the retaining of special category data (like ethnic or health data) will require both a legal basis and the special conditions condition to be present, as laid down in Article 9 of the GDPR. If you are storing health records and you are a healthcare provider you may satisfy both the legal basis and the special medical condition but that does not mean you can keep the data indefinitely unless that is what the patient or law requires. Again, check the legal basis, laws around this area and sectoral practices. The holding of special category data carries risks if breached. Put the patient / data subject front and centre of your approach. 

Finally record storage will only be as good as those carrying it out. For staff to properly manage records they need a useable relevant policy and procedure that reflects the exact needs of their record management and data processing. These documents can take time to create and will draw heavily from your data protection audit outcomes, your data flow map details and the legal parameters of your business / sector.

There is far more to storage / data retention that could be dealt with in one article but I would encourage the following:

  • Check the personal data you are storing and review that it is not excessive – for example sometimes documents required when a person is working at your Company may not be needed to be retained after they have left your employ.  

  • Do an audit on your data processing – this will give you a current view of not only the processing you carry out but also of the data you need to retain

  • Know the legal obligations for the personal data you hold and understand the specific laws and the exceptions for transfer or retention.  

  • Have a retention schedule: this document is invaluable as an evolving resource to maintain a consistent approach to record management by all stakeholders. 

  • Have a records management policy that is relevant to your Company’s work and data processing needs. A good policy should be useable by staff, understandable and enforced. 

  • Train staff from induction in data protection and your specific retention policies. 

  • Manage your suppliers (processors) especially those who provide archiving, IT or disposal with comprehensive data processing agreements. This will mean both parties are satisfied with the processing provided.  

Enguard can assist with the issues you encounter on your GDPR compliance journey from audit, security, staff training to drafting policies and procedures. We provide re-audits and training updates specific to your needs. For further details please call us at Enguard on 0818 252 052 or email info@enguard.ie. We would love to hear from you!


Disclaimer: Please note the above article is an opinion piece based on current sources of information available at time of publishing. It should not be read as legal, clinical or other form of technical advice for the processing of data by processors or controllers. 

Kenneth Baker