Latest News

Regional auctioneer sees record results

12 April 2019

Regional property auctioneer, Auction House, has delivered its best ever first quarter sales in its 12-year history. Read More...

Rare supercar discovered by auctioneers

11 April 2019

A super-rare £250,000 BMW has been found tucked away in a shed in East London. Read More...

Auction sales unaffected by Brexit

21 March 2019

A new report has found that, despite the uncertainty surrounding Britain's future within the EU, the auction market is thriving, with property transactions spiking in recent months. Read More...


Does your retention policy comply with the GDPR?

Monday 16 July 2018

With the General Data Protection Regulation (GDPR) now in place, it is important that you have an established procedure which sets out how to securely dispose of data when it is no longer needed.

When GDPR was implemented on 25 May, it brought with it stricter requirements on data retention, forcing organisations to consider the volume of personal data stored and how long it should be kept.

Many businesses are now realising that whilst they may have done the mapping, they don’t have a retention policy in place and need to create a rationale for how long they are keeping data for, as well as finding processes to automate clearing data regularly.

So what is a retention policy?
A retention policy is a written set of guidelines that a company follows when handling data — more specifically in relation to how long a data set should be stored for.

Article 5 (e) of the GDPR states personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. And whilst there are some circumstances where personal data may be stored for longer periods (e.g. archiving purposes in the public interest, scientific or historical research), the GDPR states that the period for which the personal data is stored should be limited to a strict minimum.

TOP TIP: Your retention policy applies to data that is stored both on and offline, so physical copies (such as printed documents, paper client files or spreadsheets) should also be destroyed when the data is no longer required. And yes, this does include emails as well!

Why is a retention policy important?
Ensuring that you erase or anonymise personal data when you no longer need it will help to prevent information from becoming irrelevant, inaccurate and out of date. It will also reduce the security risk to your business and limit the possibility of sensitive personal information being exposed in the case of a hack or breach of your systems, which could potentially cause harm to the individuals involved.

From a more practical perspective, it is inefficient to hold more personal data than you need, and there may be unnecessary costs associated with storage and security.

How do I create a retention policy?
Firstly, you’ll need to assess what personal data you currently hold and look at where it is being stored. Servers, databases, email accounts, company computers and even backup drives all need to be checked.

After you’ve evaluated your data set and pinpointed all storage locations, you will then need to define a storage period for each type of data and begin to decide which records should be retained - this will invariably differ from business to business depending on your company’s needs. For example, data held in relation to a complaint might not necessarily need to be retained for the same length of time as information concerning a sales transaction.

Regardless of the retention period you opt for however, you must be able to demonstrate your rationale behind the length of time you choose to keep personal data for. 

Implementing your policy
When it comes to deleting and anonymising data you have two options, you can do it manually or automatically, although a mix of both may be necessary depending on how your business stores information. If you have a system which allows you to set retention rules then all you’d need to do is ensure that these processes are working correctly and the data is actually being deleted or anonymised.

Organisations should be absolutely clear with individuals about what they mean by deletion and what actually happens to personal data once they have deleted it - the GDPR recommends this information is added into your privacy policy. It doesn’t have to display your whole internal retention policy, it may only be a summary, but customers do need to be able to find and understand what is being done with their personal data.

Subject access requests (SARs)
But what do you do if a customer submits a subject access request and you no longer hold their data? In most cases you must respond to a subject access request within one month of receiving it, however if you have already erased the information in line with the GDPR, you will not be required to provide individuals with that data.

We're here to help!
If you're a little late to the party and need to catch up on all things GDPR, check out our new course, which will help you better understand the regulation and help with managing the risk to your business.

However if you can't make it to one of our half day courses in London, our 50 minute online Data Protection course has got you covered - as well as mastering the art of transparent data processing and learning the importance of accuracy and storage limitation, you'll also gain an understanding of what activities could lead to a data breach and consequent penalties.

And it's not just courses we have to offer, our fantastic GDPR toolkit will help you to become compliant in no time at all. Not only do we have a plethora of practical resources which are downloadable from our website, we also have a dedicated legal helpline, to help answer any of those tricky questions you're just not sure about.