We have been working on Data Retention policy reviews for a number of clients recently. One element of our approach is a benchmarking exercise against peer organisations domestically or internationally to assess the “reasonableness” and proportionality of proposed retention periods. In one review we found that domestic peers had identified quite a lot of “Retain Indefinitely” retention periods. Coincidentally, these were applied to records which related to accidents, incidents, and activities that service users of the organisation might be involved in.
In other words: Anything they did that might have a risk of them getting sued they were retaining the records of that indefinitely. Just in case. For insurance. After all, you’d never know..
Unfortunately, this is neither necessary nor proportionate.
Under the GDPR, the maximum fine applicable to a retention of data for no longer than is necessary is €20,000,000. Unless there is a historical research purpose or scientific or statistical research purpose, any retention preiod must be both necessary and proportionate to the purpose. That little hook is emphasised in the requirement under Article 5(e) that retention is “suject to the implementation of the appropriate technical and organisational measures required by the Regulation in order to safeguard the rights and freedoms of the data subject”.
If governments are not allowed to ask phone companies to hold telecommunications data for up to two years “just in case” of serious crime (Digital Rights Ireland), then retaining all the data about all the things the people who used your services for for ever, just in case, is likely to land your organisation in difficulties.
Balancing Risks versus Managing Risks
“But we need to balance risks” clients say. And they are right. However, they need to consider the risks of unauthorised access to or disclosure of data that is retained, the risk of a person who has never had a trip or spill or bump complaining that their data is retained indefinitely, and the commensurate risk of bad publicity. Failure to have appropriate security controls also carries with it potentially severe penalties under the GDPR.
Also, bear in mind that under Article 15 of the GDPR (and Section 4 of the current Data Protection Acts) people are entitled to copy of all data held about them by your organisation. Indefinite retention means you need to be able to find, review, redact, and process that information within no more than 40 days. With the GDPR introducing the requirement that electronic requests for data need to be responded to electronically, that means the “print and dump” approach will not be compliant in future. And non-compliance with Subject Access requests gives rise to a number of potential offences under the GDPR, each of which carries a potentially significant penalty.
Retaining data indefinitely to mitigate the risk that someone might sue over something creates the certainty that someone will complain that your retention policy is not compatible with the GDPR or the Charter of Fundamental Rights. That will run to money – if only to fix your retention schedule under the gaze of a Data Protection Authority.
A well defined Data Retention schedule and associated Data Governance processes should encourage organisations to actively manage their risks. To put it bluntly: if you are an organisation that finds they are retaining all the information on every activity or incident and person involved ‘just in case’ you might get sued, your problem is NOT data protection, it’s health and safety or child protection or something else. It is indicative of other risks not necessarily being actively managed or governed appropriately.
The identification in your Data Retention schedule of a “Legal Hold” requirement and process means that, rather than passively holding all things until you are happy the statute of limitation has expired on that category of thing you are worried about, your organisation will make evidence based and governed decisions on the retention of evidence and the management of issues. It also means that you will not be retaining all the data on all the things, but rather the key data about the actual things where there is a higher probability of the risk crystallising into a crisis.
Data Retention requirements under the Data Protection Acts and the GDPR should be regarded as nudges by the legislature and the Charter of Fundamental rights to consider the processes that the retained information support and to ensure a balanced management of risks so that you can demonstrate the necessity and proportionality of any long-term retention of data about who was on the bus when that group went on that day trip.
Prudent Risk Management
The GDPR places the fundamental rights issues of data protection into a risk management frame. It is important that you can demonstrate that you are identifying and managing risks correctly. That means being able to demonstrate that your retention of data is “necessary and proportionate”. Managing and mitigating that risk should drive your organisation to better manage and mitigate the other risks that create the perceived need for indefinite retention schedules.
If you need it forever “just in case”, you don’t have a Data Protection problem… it’s probably a lot worse.