Within organisations, data retention practices are frequently overlooked due to the belief that holding onto data for extensive periods (or even indefinitely) will save organisations time and effort in the future. Essentially, it’s the engrained mentality of 'why risk deleting data when we might need it later down the line?'
Whilst having a strong allure as a ‘safety first approach’, this is in direct conflict with UK data protection legislation and is one of the most common defences seen by businesses when confronted with the idea of permanent deletion.
WHAT IS RETENTION & WHY DO ORGANISATIONS NEED IT?
Data retention for companies subject to UK data protection legislation is a concept outlined under Article 5(e) Storage Limitation of the UK General Data Protection Regulation. This means that data should not be held for longer than necessary for a particular purpose.
The principle of storage limitation is heavily weighted on providing justifications for holding on to data, meaning businesses must look to their commercial, management, and evidential needs for retaining it. As per the Information Commissioner's guidance, holding onto data 'just in case,' would not justify longer than necessary retention.
Outside of this core principle of the UK GDPR, some records fall under statutory records retention expectations. This may include specific legal timeframes for HR records, tax and accounting records, or specific industry regulatory requirements. Additionally, there is the limitation period under the UK Limitation Act 1980 for keeping specific records for 6 years to allow organisations to defend against potential legal actions.
Having a Retention schedule not only helps to demonstrate accountability but also helps with data management, legal compliance, and consistency in approach to implementation.
HOW RETENTION SHEDULES BENEFIT ORGANISATIONS IN PRACTICE
- Giving attention to retention reduces the chances of action by the regulator, as breaches of Article 5 of the UK GDPR fall under the higher tier of administrative fines.
- In terms of operational efficiency, defining retention periods can cut down costs on storage and make data easier to sort through and find.
- Storing data for limited time periods reduces the attack surface area in the event of a cyber incident.
- The less data you have, the less records you need to provide in the event of a data subject access request (DSAR). This may save a significant amount of time with DSARs often being a lengthy process.
TIPS AND TRICKS TO TACKLE COMMON ISSUES WITH IMPLEMENTATION
- Where automation isn't possible, manual data cleansing practices and reviews should be frequently performed.
- Hitting delete manually may only remove the surface level of data, and there may be copies buried in backups or in recycling bins.
- Align retention periods across multiple systems where there are integrations or data syncs. This prevents situations where data is deleted from one system, only then to be restored again by a sync from another.
- If you still have a need to hold onto data, consider anonymisation as an alternative to deletion.
- Archiving and suppression are not considered deletion. This data may still be available to attackers in the event of a data breach.
- Consider retention from the design stage of a project instead of implementing this retrospectively. This is a part of a risk-based, forward-looking approach.
- Accompanying the retention schedule with guidance and policies helps staff with the necessary understanding to enforce it appropriately.
- Lastly, regularly review retention schedules. If you use data for a new purpose, this should be reflected by an update to the document.
It’s important to note that a retention schedule is not set in stone. For a lot of records, they will provide guidelines. So, when a record reaches it's time limit, this initiates a review period where you can decide based on current circumstances whether you need to hold onto the data for longer.
If you do decide you have a business need to retain the data longer, this should be documented for accountability purposes.
SUMMARY
Building a retention schedule alongside a data protection framework is often put on the backburner for an array of reasons, being a collaborative effort often requiring both significant time and close cooperation from asset owners. However, the resources your organisation invests into formulating one can save you more time in the long run, as well as saving you from potential regulatory enforcement later down the line.
If you would like advice on your organisation’s data retention practices or formulating a retention schedule alongside a data protection framework, please contact Bruce & Butler today.
Related content
Why DSARs are Challenging in the Healthcare Sector
[email protected] [email protected] Data Subject Access Requests (DSARs) arrive more frequently than many healthcare organisations expect, from both patients and employees. On the surface, a DSAR sounds straightforward. An individual asks for a copy of their...
Cyber Security for Charities: 3 Risks Trustees Should Not Ignore in 2026
[email protected] [email protected] As a trustee, you're used to keeping a close eye on governance, finance, and compliance. But how often does cyber security come up in board discussions? Charities are becoming increasingly vulnerable to cyber-attacks. Not...
Hawsons Forms Strategic Alliance with Bruce & Butler to Strengthen Cyber and Data Protection Services
Hawsons Chartered Accountants has announced a significant investment in Bruce & Butler, a leading data protection and cybersecurity firm. This strategic alliance combines Hawsons' financial expertise with Bruce & Butler’s specialised services in data...