Many people ask us how long they should store data for to be GDPR compliant. The very brief answer from the EU is: You must store data for the shortest time possible. This phrase “shortest possible”, while certainly punchy is sadly imprecise. This article attempts to shine some light on what it really means.
The obligation or principle of a limited retention time is already prescribed under the existing EU Privacy Directive 95/46. However, the change in GDPR is the requirement to expressly specify “the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”
Organisations are now required to state explicitly these retention periods to their customers, employees and suppliers.
Can we keep data just in case?
The first thing to note is that GDPR doesn’t permit keeping data “just in case”. Keeping Personal Identifying Data (PID) because of a concern that it may be need some day for an as yet unknown reason is not acceptable. Or in the words of the Irish Data Commissioner ”…. have no basis for collecting or keeping personal data that they do not need on the off-chance that a use might be found for it at a future date”.
The thinking behind the GDPR language is that personal data is valuable and should not be entrusted to anybody without good cause. Many businesses assert that what is being discussed is the property of the company and no longer the property of the individual. That may or may not be the case. Just note that GDPR goes a long way in rebalancing rights between individuals and institutions to put the individual in control.
What does the legislation say?
The exact wording in Article 5(1)(e) of the GDPR “…is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed” . This is augmented by Recital (39) which doesn’t really add much clarity to the situation “This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum”.
Given the lack of clarity in the original GDPR texts, it is a wonder that so many people claim that GDPR lays down exact rules for data retention. It should be clear that the GDPR simply lays down principles and how that principle gets translated into practice will take some time and many courtrooms to work out precisely.
A practical approach to GDPR data retention
Given the importance of the data lifecycle in GDPR, and the punishment for non compliance our clients can’t wait for exact rules to emerge. We need a system to figure out how long is sufficient to retain personal records under GDPR.
The personal data kept by organisations should be sufficient to enable you to achieve one or more specified purpose(s) and no more. Organisations have to produce their own documents or point to best practice elsewhere to justify their choices. In these documents they set down specific criteria to judge what is adequate, relevant and not excessive and they must apply those criteria to each information item and the purpose(s) for which it is held. To reiterate organisations can be fined for collecting or keeping personal data that they do not need on the off-chance that a use might be found for it at a future date.
There are four items to consider when deciding on your companies retention periods:
- Statutory retention periods
- Statutory limitation periods
- Individual business needs
- Data protection
These are listed in priority, and should be considered in sequence
Statutory retention periods
In many cases there is an existing statute requiring an organisation to retain data for a statutory retention period. These tend to be the clearest and carry the most weight, so it is worth considering them.
it is our understanding that many of these retention periods are in the area of employment law such as this non exhaustive selection:
- Payslips: 3 years (National Minimum Wage Act, Section 22)
- Parental Leave records and Force Majeure Leave records: 8 years (Parental Leave Acts, section 27)
- Hours Worked and related information such as breaks, annual leave and public: 3 years (The Organisation of Working Time Act, 1997, Section 25, and the Organisation of Working Time (Records) Prescribed Form and Exemptions, Regulations 2001
- Accidents: 10 years from date of an accident (the Safety health and Welfare at Work (General Applications Regulation 1993, section 60)
Statutory retention periods occur in many other areas as well. Schools for example, have to retain certain records under the education acts. Then there are the more esoteric examples such as European Communities (Animal Remedies)(No. 2) Regulations 2007 (as amended) – SI 786 of 2007 Reg 30 (5) (e) requires holder of an animal remedies wholesaler’s licence to retain certain records for a period of 5 years.
What should be noted here is these statutory retention periods, give both a minimum and a maximum to data retention. For example by stating that Payslips must be kept for three years, the question must arise in the fourth year, why should the payslips be retained any longer? If there is no relevant limitation periods or pressing individual business need then the data protection principle kicks in and the data should be destroyed.
After statutory retention periods the next most important reference point are statutory limitation periods. For example the Statute of Limitations, 1957 provides for a limitation period of 6 years from the date of breach of contract. Therefore, employment contracts should be retained for a period of at least 6 years from the date of termination of the employment.
After the 6 year period, the organisation should move down the list to the next most important item and ask if there is business need or data retention principle involved? If there is no good reason to retain the data, then GDPR insists that it disposed of.
Individual business needs
Here a organisation might consider how long to keep data about a customer or client. If a customer periodically buys a product or service, a business may well keep an account or file on that customer just to simplify the process of serving that customers’ needs.
Then the question arises about what level of interaction does the customer have to maintain to justify the business keeping data on the customer. Clearly if the company delivers a newspaper on a daily basis to the customer’s home then keeping the home address is required to fulfil the contact. But if the customer stops the delivery order, does that mean it is never again required or perhaps it is just a going on holidays break.
Each business needs to think about buying cycles and what is an appropriate period to retain personal data if there isn’t an ongoing relationship. Any business will have its own natural cycle and the best way for a company to protect itself is to document clearly its own practices.
You should pay particular attention to old information about former customers or clients, which might have been necessary to hold in the past for a particular purpose, but which you do not need to hold any longer. If you would like to retain information about customers to help you provide a better service to them in the future, you must obtain the customers’ consent in advance. The same applies to paper records. Good housekeeping would also dictate that your regularly review the need to retain records.
Crucially, all retention periods should be evidence based and the period chosen cannot seek to cover all possible eventualities where personal data may be useful to the business.
Increasingly the Irish Data Protection commissioner is publishing opinions about what is good practice. These opinions are available from their website and are remarkably readable.
For example besides active and retired employees most businesses will also have prospective or rejected candidates for employment. People that have no link to the organisation can e-mail in a CV on spec or respond to an ad. In the case of unsuccessful or unsuitable candidates, suddenly the organisation has personal data about individuals they may not wish to have an ongoing relationship with.
In this case the advice is quite readable: “In relation to the retention of recruitment records for unsuccessful candidates, we would consider a retention period of 12 months to be appropriate”.
Here the retention period is a balance between the individual’s right to privacy and the organisations desire to defend any potential claims for discrimination etc.
Similar advice can be found for CCTV, is a perennial bug bear in the world of data privacy.
In GDPR, sensitive personal data has been renamed special data and has to be handled with extra care. Special data includes information in relation to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique id purposes, data concerning health or sex life or sexual orientation. Of special note to employers, special personal data includes an employee’s personal data relating to his or her membership of a trade union.
In order to handle special personal data however, an organisation needs to satisfy at least one of ten additional conditions. If an organisation doesn’t meet one of the ten additional conditions, then data retention doesn’t apply as they will be legally prohibited from processing the sensitive personal data at all.
Also, given the notification obligations applicable in case of data breaches, it would be difficult to justify a data breach of personal data that was meant to be already erased. In this scenario, the risk of stiff sanctions from the regulator and large claims from individuals would become more probable than possible.
Once data retention periods have been determined, the organisation is half way there. The organisation has to also put in place also the technical and organizational measures necessary. The organisation must ensure that it can implement the retention periods.
We expect that organisations will develop a practice of reviewing personal data on a regular or annual basis for example and if there is no good reason for retaining such data, that such information or any unnecessary element of it will be routinely deleted.
In our experience this is easier with formal data sets in structured databases. The more difficult cases involve the deletion of individuals archives, and individual’s desire to retain all notebooks emails, spreadsheets and word documents they handle. Nevertheless it is almost impossible to find reasons that will convince a regulator for having retained information that has ceased to be of any current use.