For compliance with GDPR, we must adhere to the third principle which is that records shall be ‘adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed’, which means that a Records Management Policy must be enforced: no more consigning everything to a storeroom.
Data can be valuable, or it can be a liability. For example, HMRC state that financial records should be retained for no longer than is required by law: for most such records this is the 6+1 rule, or six years plus the current year. In the event that you hold older data, your liability can extend back as far as the archive, while proper deletion and destruction of older data actually limits your liability.
Records Management Policy: a set of rules which guide the retention and destruction or organisational data
So it is too with GDPR. Holding data which is obsolete, inaccurate, and perhaps accidentally processing without consent, exposes the organisation to severe financial penalties. The rule of thumb is to delete all such data, as it adds no value to the organisation.
Management of organisational data is achieved through the application of a Records Management Policy: a set of rules which guide the retention and destruction or organisational data. For some organisations, the policy can be quite simple, and broken down into three categories: Short (less than three years), Medium (up to ten years), and Long (greater than ten years). It is widely accepted that computer software referred to as Records and Document Management Software, RDMS, can be of considerable assistance in executing the policy.
Personal judgement will always be a factor because each member of staff will have to decide, for example, whether a telephone call was significant enough for a note of it to be kept, or an email deleted
Newcomers to the topic might over-react, and before one commences a wholesale purge of data, bear in mind that other legislation can demand retention periods which take conflict with the GDPR. In such cases, it is most likely that the Data Controller will argue that certain Personally Identifiable Information (PII) must be retained under the term ‘Legitimate Interest’. Legislation which can cause conflict includes, the Freedom of Information Act (2000) the Financial Services Act (1986) and the Finance Act (2004).
Ultimately, in almost all situations, personal judgement will always be a factor because each member of staff will have to decide, for example, whether a telephone call was significant enough for a note of it to be kept, or an email deleted. Invariably, though, deletion of records is preferred to retention.
Six Potential Conflicts with GDPR
Despite the eight Rights of the Individual enshrined in the GDPR, such as the Right to Be Forgotten, one is bound to abide by other legislation. In such cases, the right of the individual cannot be used as a means of forcing the organisation to contravene other legislation.
(1) Business contracts, agreements, and other arrangements
The Limitation Act 1980 (Section 5) states that all business contracts, agreements and other arrangements need to be safely stored for the length of the contract and for six years afterwards.
The Registered Pension Scheme (Provision of Information) Regulations 2006 (No. 18) demands that business data and documents concerning pension schemes require a minimum storage time of six years.
Regulation 10(5) of the Control of Substances Hazardous to Health Regulation 2002 stipulates that all work-related medical examinations related to hazardous substances must be stored for a minimum of 40 years, from the date of the last entry made in the record.
(4) Dangerous substances
If you are in the business of supplying chemicals and other ‘environmentally damaging’ products, you need to comply with Article 49 of the Regulation No 1272/2008/EC. This legislation demands that all records pertaining to the classification, labelling, and packaging of these substances and mixtures are kept for a minimum of ten years from the date these products were last supplied.
(5) Workplace injuries
According to Regulation 12, of the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013, accident reports need to be retained for a minimum of three years. The maximum retention period is dependent upon general restrictions regarding personal data.
The VAT Act 1994 (Schedule 11, paragraph 6) and HMRC Notice 700/21 October 2013 mandates that you are to keep these records for a minimum of six years from the date they were made, even if filed electronically.