A short guidance note explaining the GDPR obligations on businesses with regard to the storage of personal data and containing a link to a template Data Retention Policy.

What does the law require?

The GDPR builds on and adds further detail to the requirements under current data protection law regarding the storage of personal data. In particular, whilst the GDPR does not set out any specific minimum or maximum periods for retaining personal data, it requires that, subject to certain exceptions, personal data must not be kept in a form which allows identification of the relevant individuals for longer than necessary. The period for which personal data is stored must generally be limited to a strict minimum.

The GDPR also states that time limits should be established by the data controller for erasure or for a periodic review of data retention periods in order to ensure that personal data is not kept longer than necessary. Also, as described in the Records of Processing Activity section of the IPA's GDPR Top Ten Practical Steps Guidance, certain organisations are required, subject to some exceptions, to maintain specific records of the envisaged time limits for erasure of the different categories of personal data they hold.

What do you actually need to do?

In practice this means you will need to review the length of time you keep personal data; consider the purpose or purposes for which you hold the information; and securely delete or anonymise data that is no longer needed for the relevant purpose. In order to achieve this, you should put in place an appropriate data retention policy which should be periodically reviewed and updated as necessary to ensure it is effective and meets your agency’s requirements. It is also important that the policy is actually implemented within your agency. The relevant personnel must be actively made aware of the policy, trained on the requirements, and required to comply with it.

It is also important to note that the data retention obligations referred to above will only directly apply when your agency is acting as the “data controller” as opposed to the “data processor”. Where your agency, is acting as a “data processor” the obligations regarding data retention do not directly apply - there is, however, a requirement for your agency to include in your contracts with clients details of the duration for which any personal data will be processed under the contract. It is therefore important to be aware of data retention periods in the context of any personal data processed for a client.

There is also an obligation on your agency, subject to certain exceptions, to delete or return all the personal data you process for a client after the end of the provision of services. It may also be that a client contract includes additional specific obligations regarding data retention. It is therefore important to check the applicable client contract to ensure that you comply with the relevant requirements in this area.

How can the IPA help?

The IPA has produced a template Data Retention Policy for agencies to use as part of the development and rolling-out of your agency’s own internal data protection policies and procedures. The Policy sets out a process and guidelines for the retention and disposal of certain categories of personal data when your agency is the data controller and processing the data for your own purposes.

Please note that the Data Retention Policy is intended as an example and to be used as a starting point only. It is not intended to be comprehensive or a finalised policy and will not, by itself, guarantee that an agency achieves full compliance with the GDPR. It is critical that you thoroughly review the Data Retention Policy and customise it to fit your agency’s business before rolling it out internally within your agency.

The Data Retention Policy is designed to work in conjunction with the other policies referred to in this Guidance as well as any other policies and procedures your agency may have. The Policy includes highlighted guidance notes and square bracketed words – these should be addressed and eventually removed as part of the implementation of the policy. The Policy also includes some background guidance notes in red at the start of the document, these red notes should also be removed as part of the finalisation of the policy.