Data retention policy solicitors

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR ushered in a number of changes to data protection, including new requirements for organisations to deal with around data retention.

What is a data retention policy?

A data retention policy is a document which sets out how an organisation classifies and manages the retention and disposal of its information. A data retention policy will usually cover all types and formats of data, including hard copy and electronic documents, emails, records, and digital media. Data retention policies also generally cover data that is held by third parties on an organisation’s behalf, such as cloud storage providers or offsite records storage.

Why do I need a data retention policy?

To comply with data protection legal requirements, an organisation needs to establish and document standard retention periods for different categories of information held. It is also advisable that organisations have a system for ensuring that these retention periods are kept to and are reviewed at regular intervals.

How do I create a data retention policy?

The data retention policy itself will set out the guiding principles for records management and data retention. The policy will, for example, set out the roles and responsibilities of those at the organisation and classify the types of data that they might encounter.

The actual time periods for retention will then be set out in a record retention schedule. This schedule will list the categories of documents that employees typically create and receive, as well as those that they infrequently handle. The record will then set out the retention period and explain the reason behind it.

What time limits should I include in a data retention policy?

Organisations should be aware that there are legal and regulatory requirements to retain certain data for a specified amount of time. A member of staff’s passport details, for example, must be kept for two years from the date on which they leave if the passport details were collected as evidence of that individual’s right to work in the UK. For other retention periods it may be useful to consider any relevant industry standards or guidelines, or whether you may need to keep information to defend possible future legal claims. You must also remember to take a proportionate approach to setting retention periods and ensure that your policy does not disproportionately impact on an individuals privacy.

Our data retention solicitor Neil Williamson will help you if need any assistance with drafting your data retention policy or if you simply want advice around how to put your data retention policy together.