Assigning appropriate retention periods to categories of personal data is one of the fundamental principles of the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”). The requirement to designate clear retention periods emanates from the aptly named 'storage limitation principle' found within Article 5 of the GDPR. This principle requires data controllers to deidentify data subjects once the purposes for processing their personal data have either concluded, expired, or lapsed. Unfortunately, experience dictates that data controllers find it particularly difficult to comprehend, let alone comply with this principle, and this is mainly due to the fact that the GDPR does not include pre-set retention periods, nor does it include instruction on how to calculate them. Indeed, it is often the case that once respective retention periods have been determined, data controllers have to significantly overhaul their systems, (both in terms of legacy and online systems, as well as staff training and conduct), in order to abide by this principle. While compliance with this principle may be cumbersome and overwhelming at times, this article puts forwards a few suggestions which are intended to help data controllers break down the requirements of this principle and satisfy their obligations more efficiently.
Data retention policy
The focal point of any controller's compliance with the storage limitation principle is the creation of an internal personal data retention policy. Essentially, a data retention policy is a document that is typically compiled by a data protection officer (a “DPO”) (where appointed) and sets out the period of time within which categories of personal data shall be processed by the controller or group of controllers. Once that period of time has expired, the personal data must be immediately rendered non-identifiable.
More often than not, controllers will aim to satisfy this requirement by deleting any personal data that is past its retention date. However, controllers also have the option of anonymising the data so as to render the data subject non-identifiable. The general purpose of a data retention policy is for the controller to have an easily accessible and clear list of each retention period applicable to every category of personal data that the controller processes. The retention policy will then feed into the controller's compliance with the accountability principle under Article 5(2) of the GDPR and will also guide the controller when instructing processors to process personal data on its behalf, and when compiling its privacy notice pursuant to Articles 13and 14 of the GDPR.
Identifying categories of personal data
In order to compile a retention policy, the first step is to clearly identify every category of personal data processed by the controller, as it is vital that the controller knows exactly what personal data it processes and why. The easiest way to go about this is to break down the controller's operations into departments, such as human resources ('HR'), finance, sales, marketing, compliance, and so on. Each department would then be responsible for identifying the categories of personal data processed (with assistance from the DPO, where appointed) and the period within which that department thinks the data should be held for. Where departments are able to provide a definitive answer, that retention period should be cross-referenced with applicable laws and guidance in order to ensure that the controller would not be retaining personal data for a period which is shorter than that required in law. Where the initial answer by a department is that no clear retention period can be identified, the first step in determining such a retention period would be to turn to applicable laws or relevant guidance. In all cases, controllers would be well advised to clearly document the reasons and justifications for any retention period applied.
Identifying applicable laws
When turning to applicable laws to determine retention periods, it is important to bear in mind that retention periods may not always be obvious. There will be instances in which the law will specifically state that controllers must retain data for a certain number of years. This is particularly true in the context of anti-money laundering and financial services laws. However, there will be other instances in which the retention period will be more subtle. This would occur where, for example, applicable laws state that certain claims may only be brought before a Court or Tribunal within a pre-defined period of time. In the context of HR for instance, the laws of a particular jurisdiction could state that an employee may make a claim for unfair dismissal within a number of months from the alleged breach. It is, therefore, in the controller's interest not to delete the employee's data which could be relevant to such a claim before that period has lapsed.
Identifying longer retention periods
Following the determination of relevant retention periods using applicable laws or guidance as a reference, it is then up to the controller to decide whether it is required to retain the data for an even longer period. While this extended retention period is not prohibited by the GDPR, it is important for the controller to explicitly document why it is of the view that it must hold data for a longer period, and how this extended period does not infringe upon the data subject's right to privacy and the protection of their personal data. Naturally, any longer period applied cannot be open ended – it must have an expiration date. Typically, controllers are required to retain data for an extended period due to their own particular business needs. In general, types of particular business needs would include aspects such as the imminent threat of litigation or as a result of an order issued by a regulator. However, controllers must bear in mind that the retention period should be objectively justifiable as necessary, and not subjectively so.
Determining storage location
Once the retention period has been identified, controllers would be required to assess where the personal data is stored. This would include identifying what type of data is stored in filing cabinets, on servers (both internal and external), or on the cloud, for example. It is important for controllers to make this determination at the outset because all types of processing, (whether electronic or otherwise), are subject to deidentification once retention periods have lapsed. This determination is also an opportunity for the controller to assess whether it is undertaking 'duplicate retention'. This type of retention occurs where the controller retains multiple copies of the same document, leading to a higher amount of personal data being processed by the controller and thereby increasing the risk of a personal data breach. Once this exercise is completed, the controller would be able to ascertain whether it is necessary to continue to duplicate retention, (and where this is necessary, the reasons for its necessity should be clearly documented), or whether duplicates may be deleted, thus reducing the controller's exposure to GDPR-related liabilities.
Deletion/anonymisation following expiration of retention period
Once the location of storage for each category of personal data has been identified, the controller must be able to demonstrate that the personal data is deleted or rendered anonymous as soon as the retention period expires. The controller is, therefore, required to ensure that it has technical and organisational measures which genuinely delete the data in question. The storage of data in archives or the pseudonymisation of data, for example, will not equate to deletion under the GDPR. This is because, in order to satisfy the storage limitation principle, controllers must not retain personal data which permits identification of data subjects for longer than is necessary. Pseudonymisation of personal data in terms of the GDPR means that the data in question may be able to render an individual identifiable through the use of additional information. Seeing as the pseudonymisation of personal data allows for a method through which such data may render an individual identifiable, such pseudonymised data is not considered to be anonymised (or deleted) for the purposes of the GDPR. Similar reasoning applies to archiving data. Even though the archived data may not be easily accessible to the controller, the data itself remains to be identifiable data, and therefore, the principles of the GDPR continue to apply to it.
As with all other principles under the GDPR, the implementation of a retention policy is not simply a static, tick-the-box exercise. The retention policy must be updated on a regular basis and in practice, the policy is typically reviewed every three to six months (depending on the processing taking place). More frequent reviews will be required where changes in applicable laws or guidance have taken place, where a data subject has requested erasure or restriction of their personal data, or where changes to the controller's operations mean that the retention of said data is no longer required. Any changes to the retention policy must be clearly communicated to all staff, and where the policy has been made available to data subjects, the updated policy should be made accessible to such persons too.