Where do you start?
GDPR Retention is a myth. Are you looking at the Accuracy Principle (Art 5(1)(d) and Storage Limitation Principle (Art 5(1)(e))? Are you wondering how to start updating your retention schedule? Stop right there! You’re already way ahead of a lot of organisations. In relation to records management, GDPR Principles are not materially that different to the current existing principle under the 95 directive.
I’m often asked if the NHS Code of Practice for Records Management 2016 or the IRMS Schools Toolkit V5 is being updated in line with GDPR? My response is; What part of it would you like to be updated? That inevitably leads to tumbleweeds… The only thing that may need to change is if the 1998 Act is mentioned. This gives you the ability to retain data for longer for research purposes. However, all retention periods in a retention schedule are a minimum and are subject to review. Therefore published retention schedules are very unlikely to change in the near future due to GDPR.
GDPR Retention – How long should you retain data?
GDPR does not set out any specific minimum or maximum periods for retaining personal data. Instead, the ‘Accuracy Principle’ says:
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
Combined with that of the Storage Limitation Principle (Art 5(1)(e), In practice, it means that you will need to:
- review the length of time you keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date.
GDPR Retention Schedules
When creating a retention schedule, the dates that you are giving are a guideline for when you are expecting to destroy the information but like any sensible professional, you must be review records before automatically destroying them because you may find that they are active again, have a further purpose or have historical importance.
This isn’t to say that you should ignore retention scheduling. Make sure you have a schedule! Start with the free resources that I mentioned above. Even if you aren’t a school or an NHS body, you will certainly have corporate records with the same retention periods. As a result, you only have to focus on getting the retentions for your actual service/specialist area. I’m part of the authoring team for these documents and I highly recommend them as a starting point. If you start on your policy the rest will follow.
You create a retention period by observing any statutory or legal instrument or regulatory requirements. The next step is to assess if a record should be kept longer due to business or historical importance. In relation to historical importance, professional archivists or record managers can help you to assess this
Once you have a completed schedule, please make sure it has an escalation point and is signed off by senior management. The organisation needs to agree which records are extremely important and are worthing of keeping.
The Right To Erasure
Whilst we’re on the topic; organisations should obviously consider the expanded set of rights data subjects enjoy under the GDPR. I’ve been on the unfortunate end of a very strange HR webinar in which the delegates were told to delete HR data if requested. They did not mention exemptions, which caused people to flap… Just because there is a right to erasure doesn’t mean it’s granted. Otherwise, everyone would be asking the police and HMRCto get rid of any data about them. People can ask but that doesn’t mean it actually has to happen.
Erasure (Article 17) applies to the legal basis processing of consent. It only partially applies to Contract Necessity, Vital Interests, Legitimate Interests and Member State Law. It does not apply to Legal Obligation or Public Interest processing. There are also are exemptions for erasure including:
- freedom of expression
- archiving for public interest
- archiving for scientific/historical/statistical research and/or legal claims (also see Article 12).
It only partially applies in the situation where the records are no longer necessary, the records are irrelevant, they are out of date, they are being unlawfully processed or you have a legal obligation to erase.
Just because someone requests erasure, it doesn’t mean it actually has to happen. People should stop looking for updated retention schedules and put existing ones into action. Focus on getting authorisation to destroy records that are past retention. Don’t keep records ‘just because’. Sometimes it’s a case of ‘out of sight out of mind’ in offsite storage.
GDPR should stand for Good Documented Practice (with) Records. So here is your opportunity to sort the records management out in your organisation. To be compliant with GDPR you should know what you have, why you have it and how long you need to keep it.
Enjoyed this blog post? Read more posts here. You can also buy me a virtual rum and coke if you like it by sending some here.