We’re all guilty of holding on to things ‘just-in-case’. It’s like a comfort blanket… just knowing its there if ever needed makes us feel more secure. Its also a false comfort. When it comes to personal data, holding on to it without appropriate reason can put you more at risk than getting rid. By holding onto data or processing it needlessly, you put data subjects at risk. The GDPR is all about making sure you balance what you really need with the rights and protections of the individual. It’s not just that if you can’t justify holding it, you shouldn’t……if you haven’t justified it, it should already be gone.
For Guernsey businesses Data Retention Policies can be a lot more complex than following legal requirements. For example, in many cases beneficiaries of trusts will not know they are such. The processing of their information may be lawful (probably under contractual obligations/legitimate interests with respect to Principle 1 on the Lawfulness of Processing) but if they are only going to become aware of it at some date long into the future, what is the appropriate period of data retention? Trustees often face the risk of legal challenge in the exercise of their duties, but without knowing a case is in the works (in which case longer term retention is appropriate), how long should it be considered necessary in relation to the purposes?
To answer these questions, categorising the personal data processed becomes a necessity. This can be integrated with risk profiling where necessary in determining the data categories on which a Retention Policy is applied. While the old adage that ‘only you know what is right for you’ still applies, we should really be looking towards the Industry representative bodies though to provide indicative guidance. When dealing with long retention policies compared with other industries as seems likely; the increased risks associated with this are hopefully clear. .
Data subjects are put at risk of breaches for longer, making their likelihood of becoming the victim of a breach more likely. Those with better security (a subject for another day) will be able to better justify the retention periods on the basis of balancing the needs of the organisation with data subjects protected rights.
With a proper Data retention schedule in place, if you have good reason to hold something for longer than its predetermined period; the owner of it must recategorise it appropriately, documenting the reasons. Please note that this does not mean using it for a purpose other than that which it was initially collected.
This effectively ‘bolts on’ to the processing record linking retention and security at the final step (see below)
For help with getting your data retention policies right, please use the contact section