Data retention is a critical aspect of business operations, driven by legal mandates around protection of information, and the organisational advantages. As businesses navigate data protection, implementing effective data retention is paramount.
Why is data retention important?
Every data protection law has a principle within it that requires organisations to keep personal data for no longer than is necessary. Effective data retention policies make sure that only relevant data is retained, which drives operational efficiencies, as well as mitigating the risk of retaining too much data.
Creating an effective data retention policy and schedule
Creating an effective data retention policy needs a comprehensive understanding of the data in the organisation’s ecosystem. This is best done by an inventory of data assets, based on sensitivity and regulatory requirements, and align with industry best practices.
Next, the retention periods for different types of data need to be established. Factors to consider include: the purpose of the data collection, statutory requirements, and business needs. Robust mechanisms for data disposal also need to be set, including the recording of disposal activities.
The retention policy needs to be regularly reviewed to ensure it is keeping pace with regulatory and organisational requirements.
The roles of data controllers, processors and sub-processors in data retention
Data controllers have the primary responsibility for determining the purpose and means of data processing, which includes disposal methods and retention periods. Contractual agreements with processors and sub-processors must include data destruction and retention requirements, and also have built in an audit mechanism. Processors and sub-processors are responsible for executing data processing activities (including deletion) in accordance with the contractual obligations and legal requirements specified by the entity organising the data processing (aka the data controller).
Benefits of an effective data retention schedule
- Legal compliance: avoiding fines and penalties associated with non-compliance with data protection legislation
- Enhanced data security: minimising the risk of data breaches and unauthorised access through structured retention and disposal policies
- Operational management: streamlining of data management processes and reducing storage costs
- Customer trust: building customer trust by demonstrating a commitment to protection of their privacy rights.
Recommended retention periods for different types of personal data
- Financial records: retain for a minimum of seven years or another period to comply with local tax and accounting regulations
- Customer transaction data: retain for the duration of the customer relationship plus a specified period to address potential disputes/enquiries
- Employee records: retain for the duration of employment plus the statutory retention period for employee records
- Marketing data: retain based on consent duration or until the individual opts out of marketing communications, and use hard bounce lists from email campaigns as an opportunity to clean database;
- Heath records: retain based on healthcare regulations, plus a specified period to address potential disputes/enquiries.
The importance of staff training
Key to success is employee education. Training staff on data retention policy compliance is an ongoing exercise and needs to be conducted on a regular basis to ensure employees are kept up to date with policy updates as well as best practice. These training sessions provide an opportunity for employees to pose questions and to seek clarification on aspects of the policy. Investing and delivering training also means the organisation is empowering its employees to play an active role in data protection.
In conclusion, personal data should only be kept as long as is strictly necessary. Understanding data retention is essential to business success in today’s highly digitised world. By implementing an effective data retention policy, organisations are much better placed to leverage their data as a valuable asset.