My GDPR blogs should now be making you think about how and why you are collecting and storing data, so I’d like to now discuss storage limitations; i.e. how long you are able to store data for.
GDPR is focused on encouraging responsible stewardship of data, and being responsible means not storing data indefinitely. The shift in responsibility means a shift in mind-set: an organisation does not own a person’s data anymore; it is simply on loan for a given task. Keep this in mind and consider what is fair and reasonable to the data subject and do not ‘outstay your welcome’.
Although you cannot store your data indefinitely, there are no hard and fast rules. How long you store it for is up to you to a certain extent but you have to document how long you are storing it for and justify why this length of time was chosen. You have to ‘show your workings out’ and show that your rational is robust and totally considerate of the data subject.
If you have an annual event, you should be able to justify holding registration data for eighteen months, working on the premise that if someone came to your event in 2016 then you can hold their data and use ‘legitimate interest’ and the PECR ‘soft opt in’ caveat to contact them about the 2017 event. If they don’t come to that event, then you will probably have to work much harder to justify holding their data for the 2018 event. That said, if you can prove that a significant percentage of your audience only attends your events every other year then you may have a case. The justification is for the ICO, so it has to be documented and robust enough to stand up to investigation, should that occur.
If you cannot fully justify holding the data, then you will have to delete or anonymise it. Remember though, not all data is equal; whilst passport and bank details should be kept for the bare minimum amount of time (you cannot justify keeping hold of such sensitive information for longer than necessary), you should be able to justify keeping a contact name and email address for a lot longer.
Your privacy policy has to tell your data subject up front at the time of collection, exactly how long you are going to store their data for, or at least tell them how you will work out the storage time. It may not be a finite fixed time – such as a year. You may wish to be more fluid, for example ‘for six months after the last event that you attended.’
This is another great example of how GDPR will be encouraging companies to adopt better data practices that are not just good for the data subject, but much better for business too. No business should be clinging on to data that simply isn’t relevant to them any more.
GDPR is open to interpretation and there is a reason for that; it has been introduced to encourage organisations to think about how they use data and to be considerate of the data subject, not just follow a check list.
