Many people experience problems with retention. Whether that's information retention or employee retention. For some, hanging on to things can prove troublesome at the best of times. Data retention is no different.
The GDPR mentions right from the outset that organisations have a responsibility to retain data for "no longer than is necessary" for the purposes it was collected.
"Personal data shall be...kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" - GDPR text, Article 5 (1)(e)
Surely, there's room for confusion here. What does "no longer than is necessary" really mean? What about when we no longer need that data? Do we then need to get rid of data (meaning jettisoning it from our systems) after the period of necessity has elapsed?
There's more to the article above than meets the eye, so let's pull this apart.
"Personal data shall be...kept in a form which permits identification of data subjects..." - The scope that is defined here states that we should be concerned primarily about data which can identify data subjects. That is, individual human beings ('natural persons' in data protection speak). The GDPR text later mentions retaining data in other forms and data that does not identify a data subject, but we'll get in to that later on. If you can identify a natural person from your data and/or any other information which is likely to come into your possession (much like a customer record in any standard CRM system) then you should be mindful about how long it is retained.
"...for no longer than is necessary..." - Now we come to the belly of the beast. What is truly necessary, and what does this mean in real terms? The good news is that the GDPR text is not prescriptive as to define how long 'necessary' really is. That would be silly, as all organisations are different and there can be no 'one size fits all' approach. It's down to you to determine what kinds of data you hold (customers or prospects, active or lapsed) and how long it's necessary to hold on to each bit for.
"...for the purposes for which the personal data are processed" - Returning to that wonderful concept of scope for a minute, data is collected and processed for specific purposes, whether that is to fulfil an order, keep someone up to date with news and goings-on with your organisation, or to maintain the smooth running of a service. As you collect data for specific purposes, you are best placed to make the call on how long you need to keep that data (in a form that identifies a data subject) to serve those purposes and those purposes alone.
You may need to have different data retention periods depending on the purpose for which you are keeping the personal information. For example, if I have bought some goods and services from an organisation in the past, the organisation may decide it will only keep that personal information for seven years after the date or purchase in line with the maximum period under which I can make a contractual claim. However if I then subsequently tell that organisation that I no longer want to receive direct marketing, then the organisation should add my details to their in house suppression file. The organisation would need to keep minimal information on the suppression file indefinitely for suppression purposes.
Now, a word about a couple of words which are on everyone's lips: anonymisation, and its close cousin pseudonymisation.
As we now know, data which identifies a natural person can only be kept for as long as is necessary. However, the GDPR text states that you can hang on to data "for longer periods" for a number of defined reasons, including "statistical purposes", if certain measures are taken to safeguard the rights of your data subjects. The text later goes on to explicitly state that one of these measures could be pseudonymisation, but anonymisation can work too.
Annoymisation involves data. So you do not have to worry about the data retention provisions in the GDPR. It is not commonly stripping out all references to the personal data of an individual so that it is impossible to re- identify an individual and the data therefore falls outside the definition of personal used in direct marketing as it defeats the main object of direct marketing which is to send targeted communications to particular individuals. It is however useful for example in large scale medical studies researching health outcomes over a long period of time where the focus is on the outcome rather than the individual.
Pseudonymisation is commonly used in direct marketing as a security measure. An organisation may decide to carry out some analytics on its database and decides to outsource this to a specialist analytics processor. In order to ensure that the analytics company cannot identify any individual on the databases, the organisation scrambles the database using a code. The organisation then gives the scrambled database to the analytics company. The analytics company carries out the contracted work on the database and returns the database to the organisation. The organisation then unscrambles the database using the same code. Because the organization can unscramble the database the data always remains personal information. Pseudonymous data is therefore always a subset of personal information.
Here are my top tips for thinking about, and for formulating a data retention plan within your organization:
1) Map out the pockets of data you hold
If you've recently conducted a data audit, this should be a piece of cake. What chunks of data exist within the rich soup that is your database? You may well have data on you customers and prospects, but also staff records and perhaps supplier records, too. Charities may hold data on their volunteers. Even then, you may have records which are 'active' (who have interacted with you within a reasonable period of time), lapsed, long lapsed and so on.
2) Think about how long you need to hold on to each data 'pocket' for
Think about what is useful to you and to your data subjects, as this forms the basis of how long it's necessary to hold onto data. When does customer data stop being useful? Is it a year after you fulfil an order to your customer, a year after a service subscription expires? Are there statutory implications to think about - keeping finance or tax records, for example? Charities that deal with legacy donations need to think especially long and hard about this one, as any donor could potentially leave a vital legacy donation one day.
Remember, there is no wrong answer. But it is down to you to justify exactly what is necessary for your organization.
3) Consider what to do with data which is no longer 'necessary'
Now you know what 'necessary' means for your purposes. Now what? You may even hold data that it's no longer necessary to hold. A vital part of the puzzle is understanding exactly what you do with this non-necessary information. If it's not going to be useful to you in the future, one option is deleting it altogether. However, if it would be useful to have some of that information available for statistical purposes, then you need to work out exactly how that data is going to be anonymized or pseudonymized.
Consider how this spring cleaning of your database will be carried out, and its frequency. If your organization is large enough to need a large database and has the potential for automated processing, you could execute your retention procedure fairly regularly. Smaller organizations with more modest databases and limited technical resources may carry out a retention procedure every month or every other month.
Again, there are no wrong answers. It's all about identifying what is reasonable for you, whilst keeping in mind the rights of your data subjects.
4) Write it all down
The biggest change between GDPR and what came before is the need to shore up on accountability. I've mentioned a few times that there are no wrong answers, but any answer must have some reasoning behind it that has been agreed beforehand. This will form the basis of your data retention policy, identifying different pockets of data, your retention schedule for each, and what to do with the data once it's no longer needed.
In the name of transparency, it may also be worth thinking about how you communicate this retention schedule with the outside world. You must tell individuals under the information provisions in Articles 13 and 14 of the GDPR how long you will keep their personal information. If you cannot specify exactly the time period then you must specify the criteria by which you will calculate the time period.
Data retention is a question of common sense and can be quite straight forward once you start laying the pieces down. No two retention policies will be exactly the same, but this can be an opportunity for you, to do what's best for your organisation and your customers.
If you are still unsure about how the GDPR will affect you and your business, or you need start practical preparations, check out the IDM's full GDPR training portfolio. Ranging from an entry level basics course to an expert level professional qualification, there is something for everyone no matter which part of the preparation journey you are currently at.
Contact our Learning and Development team on +44 (0)20 8614 0255 or email: email@example.com