Q. How do I define a retention period? – In short: It’s a business decision, you should keep it as short as possible and it should be in line with other relevant regulation.
Full answer: Retention periods are a risk based decision that should be made by the business area; typically the longer you decide to retain the data for the higher the risk. Under principle 5 of the DPA1998 (replicated in the DP Bill 2018), personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes*.
My advice is first to determine whether the personal data is required at all, this really is the only ‘silver bullet’ for data protection – there’s no risk if you don’t have it in the first place. For example, do you have an out of date marketing list that has not driven a sale for many years (why not get rid of marketing lists and focus on social media, like JD Wetherspoon did?) or are you analysing patterns of behaviour in large groups of people where you could simply remove the personally identifiable information (PII) such as name and address but retain their region, age group and buying patterns so that you can still complete the same analysis.
If you have determined that you do need the data, work the period up from 24hrs (or the lowest possible option), can I set it at 24hrs? if not, why? And continue to work that number up until you can say yes. In some areas you might have legislation that requires you to retain data for a given period, for example Anti Money Laundering regulation (where it applies) requires you to hold data for 5 years and potentially a further 5 years if there are suspicions of wrong-doing, this would give you a bare minimum retention period of 5 years. You may want to increase the 5 year retention period to 6 years to sit in line with the relevant statute of limitations. Outside of legal guidelines you may wish to think about your business practices, if you offer a product where typically you get a repeat request every 10 years, you may wish to retain the data to coincide with that and set 11 years as your retention policy. However, don’t forget to weigh up the benefit and detriment to the data subject and think about whether it would be just as simple to gather the data again, 10 years later. If you have an ongoing service, ie. you clean their windows or you send them a monthly update email you can use a formula for the retention period typically this could be for as long as they are a member +30 days (which should give you sufficient time to remove their data).
Alongside the retention period you must offer the data subject the opportunity to get in touch and request that you delete their details; again, this is not simple and clear cut and whether you comply or not will depend on a number of factors, most notably your lawful basis for processing their data. For example you will not delete the data of a customer you have an ongoing product/contract with but you are quite likely to delete the data of someone that you send marketing emails to, based on their consent.
Note: Under the newly introduced principle on transparency and the individual’s right to be informed you should make sure you communicate your retention period to the data subject at the point at which you capture their data.
*The DPA1998 provided some exemption for statistical or historical purposes covered in the and GDPR expands on these exemptions for archiving purposes in the public interest and/or scientific purposes, this is in addition to the statistical or historical purposes covered in the DPA.
– Don’t forget to think about how you deal with data in back-ups, how you actually implement your written retention policy, how to comply with other individual right’s requests such as portability and what the requirements are for a GDPR compliant privacy notice.
As with everything GDPR make sure you document your thinking for audit purposes.