By now you should have undertaken your personal data inventory and be clear what is your legal basis for processing personal data under the GDPR. This month is a good time therefore to carry out a data cleansing exercise to delete any personal data you no longer require or have no legal basis for processing.
The principles of data protection under the GDPR (and the Data Protection Act), emphasise the need to ensure data is relevant, accurate and not excessive or kept for longer than is necessary.
Your organisation therefore needs to consider why it needs to keep personal data and should ensure that any retention periods decided upon can be justified and are set out in a data retention policy.
You should consider your organisation’s data deletion processes. Is data deleted completely from your systems or will it remain archived? If so, consideration should be given as to the rationale for retaining archived data and this should be built into your organisation’s data retention policy.
A data retention policy will also be helpful when you come to update your privacy notices, as under the GDPR, privacy notices must include detail of the period for which personal data will be stored or the criteria used to determine that period.
If you would like any further information about the GDPR and how it might affect your organisation, please download our Geldards Guide or if you would like to discuss how Geldards can help with training on the GDPR, please do not hesitate to contact our Information Law Team.
INFORMATION LAW >>GELDARDS GUIDE TO GDPR >> EMPLOYMENT >>