The Data Protection Network has published its first new GDPR guide since the organisation was relaunched last month, with the release of the Data Retention Guidance, designed to demystify just how long companies are permitted to keep hold of customer data.
Despite GDPR now entering its third year of enforcement, data retention is still very much a grey area as the regulation does not stipulate a time period for organisations to follow.
The Covid-19 pandemic has brought it into sharper focus following reports that NHSX, the NHS’ digital arm, plans to keep Test & Trace data for 20 years. However, some data protection specialists have recommended between six months and a year as the maximum retention period before marketing data should be refreshed.
The Information Commissioner’s Office has yet to publish definitive guidance for data deletion under GDPR, with its website claiming this will be done “in due course”. In the meantime, it points professionals to its guidance under the 1998 Data Protection.
The DPN guide has been written by specialists from a broad range of organisations and sectors, and is designed to provide a clear step by step framework and example templates for different categories of data, such as employee, marketing, and insurance records.
To help fill a much-needed gap, it aims to give organisations the tools they need to meet the core GDPR principle of “personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.”
The DPN shows how to tackle this in the real-world, along the four key steps of getting started; deciding on retention periods; creating a data retention policy and schedule; and implementation and ongoing oversight.
Case studies show the approach taken by organisations in the travel, charity and construction.
Bristows LLP partner Robert Bond, who chaired the DPN Data Retention Working Group, said: “The DPN has worked hard to publish a practical guide to a complex and evolving topic. It provides a set of tools to help with transparency and accountability in data retention.”
Thomson Reuters data protection officer EMEA Matthew Kay added: “The DPN has continued to grow since its legitimate interest guidance and now an increased spectrum of industries have come together to produce a pragmatic toolset. Once again I’ve been delighted to play a role in this helpful steer for organisations handling the challenges of data retention.”
The DPN, whose guidance is aimed both at data professionals and non-experts, was relaunched last month following a period of uncertainty sparked by the demise of parent organisation Opt-4.
For more information visit the DPN website>
Former Opt-4 team relaunch Data Protection Network
Opt-4 shuts after 15 years as coronavirus takes its toll
DPN joins calls for more urgency over GDPR guidance
UK bodies publish GDPR ‘legitimate interests’ guidance
GDPR fears mount over delay to ICO consent guidance
ICO insists GDPR guidance will cover legitimate interest