Understanding the Purpose of processing (agree with Dave_W_CompClarity) is important here, but also so is the Lawful basis, as retention precedent may exist. In a recent project, my client had simply put 10 years down for all items in the retention column in their EXCEL RoPA – it’s all too easy to swipe down an EXCEL column isn’t it! When I asked them to justify this they couldn’t!
I’ve seen retention periods documented separately in a WORD Retention Policy document, but my concern there is that it’s highly likely to become a forgotten document like many others.
My advice is that retention periods are held in the RoPA at the very least. Even better, retention periods are held in a GPDR Managment tool that provides far superior dynamic management of GDPR compliance.
To be perfectly honest, this is where DP Organizer as a tool has been invaluable. It has forced us to have a conversation about each data category and purpose and document our decision. It has also enabled some of my clients to bring their policies into line with legal requirements.
Where possible, we have also added documentation of research/general practice to justify retention periods.
The most difficult thing about retention periods I find is policing them. making sure the operational tools are in place to adhere to retention policies is very difficult.
Working in Health in the UK for best practice we mostly follow the NHS Records Management Code of Practice 2016 (due to be updated soon, draft version available) It not only covers health records but also HR , finance and estates. Remember these are minimum retention periods.
Retention is an area that often trips people up and they find hard to implement. The key to this is actually to remember that retention must be tied to the PURPOSE that the data is being processed for. Once that guiding principle is understood, it becomes obvious that it is not as simple as it may seem. You need to consider all the touch points that the data that is being considered under that purpose, is implicated in; systems, access points, legal entities (processors, controllers, joint controllers) etc etc. It will soon become evident that it is difficult to implement a one size fits all approach; fully automated, semi automated, manual as the chances are that it will be a blend of all three. Ideally the ROPA that has been constructed should help in this regard.
Chris Roberts
Understanding the Purpose of processing (agree with Dave_W_CompClarity) is important here, but also so is the Lawful basis, as retention precedent may exist. In a recent project, my client had simply put 10 years down for all items in the retention column in their EXCEL RoPA – it’s all too easy to swipe down an EXCEL column isn’t it! When I asked them to justify this they couldn’t!
I’ve seen retention periods documented separately in a WORD Retention Policy document, but my concern there is that it’s highly likely to become a forgotten document like many others.
My advice is that retention periods are held in the RoPA at the very least. Even better, retention periods are held in a GPDR Managment tool that provides far superior dynamic management of GDPR compliance.
HellenB
To be perfectly honest, this is where DP Organizer as a tool has been invaluable. It has forced us to have a conversation about each data category and purpose and document our decision. It has also enabled some of my clients to bring their policies into line with legal requirements.
Where possible, we have also added documentation of research/general practice to justify retention periods.
The most difficult thing about retention periods I find is policing them. making sure the operational tools are in place to adhere to retention policies is very difficult.
Barry Moult
Working in Health in the UK for best practice we mostly follow the NHS Records Management Code of Practice 2016 (due to be updated soon, draft version available) It not only covers health records but also HR , finance and estates. Remember these are minimum retention periods.
https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016
Dave_Wylie
Retention is an area that often trips people up and they find hard to implement. The key to this is actually to remember that retention must be tied to the PURPOSE that the data is being processed for. Once that guiding principle is understood, it becomes obvious that it is not as simple as it may seem. You need to consider all the touch points that the data that is being considered under that purpose, is implicated in; systems, access points, legal entities (processors, controllers, joint controllers) etc etc. It will soon become evident that it is difficult to implement a one size fits all approach; fully automated, semi automated, manual as the chances are that it will be a blend of all three. Ideally the ROPA that has been constructed should help in this regard.