A few years ago, I had a lightbulb moment during a review of our Data Retention Policy. Our legal advisor at the time made a striking comment: “Data is toxic.” His point was simple yet profound—keeping data longer than necessary or holding onto more than you need only increases your exposure to risk.
This insight underscores a critical truth: data retention is something every organisation must take seriously. Whether driven by legislation or best-practice guidelines, you need to know what data you hold, why you hold it, and how long you intend to keep it. Moreover, you must have processes in place to ensure timely deletion of data that’s no longer required.
Creating a Data Retention Policy
Start with a clear and comprehensive Data Retention Policy. This document should outline:
- What data you collect.
- Why you collect it.
- How long you plan to retain it.
To make it user-friendly, include a table at the end that serves as a quick-reference retention schedule for employees.
Here are some key resources to guide you:
- Employee data: gov.uk outlines here what data an employer can keep about an employee
- Financial records: UK government guidelines for limited companies
Employee Lifecycle: What to Consider
Understanding data requirements throughout the employee lifecycle is essential.
- CV storage: If a candidate asks you to keep their CV on file, know the legal obligations and limitations.
- Onboarding: Be clear on the checks required for new hires and what information you need to retain.
- Employment records: Familiarise yourself with rules around storing employee data, such as maternity leave documentation, how long you need to keep data after an employee leaves and HMRC requirements.
Understanding GDPR and Subject Access Requests
Get comfortable with the seven principles of GDPR. These principles emphasise that you should only collect and store data you genuinely need, for as long as necessary, and ensure it is securely maintained.
Being GDPR-compliant also prepares you for handling Subject Access Requests (SARs), which give individuals the legal right to access their data. A robust Retention Policy will help you respond to these requests efficiently, as you’ll know exactly what data you hold, where it’s stored, and how long it’s kept.
In Summary
Data retention might feel daunting, but it doesn’t have to be. A simple, well-thought-out policy and clear processes can help you stay compliant, protect your organisation from unnecessary risk, and give you peace of mind. By managing your data thoughtfully, you’ll be better prepared for any eventuality, from audits to SARs.
Remember, data is only as valuable as your ability to manage it responsibly.