Retention of Data
Share article:
You may also like to read
“How long can we keep our data?”
Retaining data has always been a fragmented area of information security law. This article explores what personal data is, what constitutes processing data and for how long you should retain data, as it appears to be unclear within DPA and GDPR law!
First, a definition of what constitutes personal data; “Personal Data means any information relating to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”
If your organisation handles information, in any form, that can be used to identify an individual, it is holding personal data.
So,, what defines “processing data? ““Processing” data is anything you do with personal data. Even if your organisation is “storing,” “erasing,” or “destroying” data, then you are “processing” data.
How has the data retention landscape changed from DPA to GDPR?
It is mainly unchanged, but you must explicitly retain information based on the usage specified when consent was given.
Organisations are advised to carry out a Data Protection Impact Assessment, which is used to define the retention period for data and both the usefulness and validity of your data. Ultimately, the data subject needs to know that you are keeping the data, why you are keeping it, and what your intention is for using it, and they will need to consent to this reasoning. Several regulations define how long you must legally keep the data, depending on the type of data you are holding.
Our training courses cover the term we mentioned, which you probably wondered, “What’s a Data Protection Impact Assessment?” If you are interested, please contact us!
So, we will end where we started, “How long can we keep our data?” The GDPR does not specify an exact amount of time, but we have certainly ascertained that data cannot be kept indefinitely. Therefore, a common-sense approach is required here.
Our training courses can help you navigate through these retention issues and guide you through the reasoning of why, how, what for and when retention could breach the regulation.