A personal data retention strategy does exactly what it says on the tin. It is a strategic decision – or rather a set of strategic decisions – documenting exactly how long you intend to hold on to the personal data in your possession and why. Not only is this a legal obligation under the Irish Data Protection Act, it forms a key part of your overall data governance. Sorting out which data stays, and which should be slated for disposal can be, well let’s be honest, a nightmare, particularly in mature organisations. We’re great at data gathering but oh so possessive when it comes to letting go. Data has been gathered from a lorry load of places and could be often duplicated and stored in fragmented ways, known only to and accessible by some players, usually in siloed structures. So Data Governors, DPOs and IT Managers become the “pushmi-pullyu” of the organisation. On the one hand, it’s possible that you don’t hold on to personal data for long enough and be subject to legal or regulatory penalties. If you do hold the personal data for someone for the correct period, then dispose of it per your retention schedule, you run the risk of a Subject Access Request, and the data subject complaining that you didn’t hold on to it because you obviously have something to hide. On the other hand, you can also fall foul of holding on to personal data for too long. Again, there are the-same-but-different legal and regulatory penalties for not complying with the principle of storage limitation.
It is relatively easy to define the retention periods of certain categories of data, as they are laid down by other legislation, such as the Taxes Consolidation Acts, but others rely on judgments made by you and your organisation, based on necessity, proportionality and taking into consideration the rights and freedoms of the people who have trusted you with their personal information.
It’s important to note that there are practical downsides for not divesting personal data. The more data you hold, the more time and resources are required to go find it should a data subject request to exercise their rights. Research by IBM in the US in 2016 found that 30% of payroll costs is spent finding, cross-referencing, correcting and validating data and 30% of data searches fail on the first or second attempt.
While working as a Marketing Operations Manager, I once spend six full working days co-ordinating the search to prove one single customer had opted in to receiving emails. There were times when, for me, the 30% mentioned above, was 60%.
Here’s a thing. A lot of the information you need for a retention policy will (hopefully) have been identified by your Art. 30 register of processing activities. Take what you have documented and operationalise it. You can make yourself feel great by having the workshops with the nice biscuits, writing up the required documentation and then smugly treating yourself to a large G&T after work, but if you can’t/won’t put it into practice then, well, what’s the point? It’s a waste of time, it won’t make you compliant and provides a disservice to those people who trusted you with their data.
Having had to work with databases that had 7 or 5 or 13 different names for exactly the same dataset, I’d’ve given my eye teeth (strange turn of phrase that, but I digress) for a Business Glossary of terminology and standards, containing:
“Clear definitions with explanation of exceptions, synonyms, or variants necessary because people use/interpret words differently. This reduces ambiguity and improves communication. The glossary should be approved by representative of all user groups.” (DAMA Body of Knowledge, 2017)
I have been asked a lot about two things in relation to retention policies – SARs and eMail. Both worthy of at least an article each, but in the meantime, here’s the 30-second version.
SARs: Retain your SAR log (pseudonymised) and the original “pack” in a relevant filing system for a time you feel is appropriate (bearing mind potential for you to be sued for failing to meet Data Subject rights).
eMail: Boy, do people love their email. And yet it is likely to be the #1 time-waster when the SARs come in. Is it a “relevant” and “structured” filing system? Nah, didn’t think so. But it is still an electronic record that has to be searched and assessed and constitutes risks to the organisation. The last three corporations I worked for had a strict size-based policy – when your mailbox was “full” you could neither send nor receive. The only way to get your MBs back was to start deleting. Worked a treat.
It’s worth considering the advice of Marie Kondo – does this email bring you joy? An appropriate deletion, archiving, and filing policy for email can save a world of pain. All of which brings us back to the importance of a defined retention schedule and guidelines on how to decide when there is no defined rule.