0 Asked: February 1, 20212021-02-01T18:56:33+01:00 2021-02-01T18:56:33+01:00In: GDPR, Privacy Management What is the best way to set up a feasible retention policy? 0 Any ideas or templates one of you could share? Share Facebook 4 Answers Voted Oldest Recent Chris Roberts 0 Questions 42 Answers 0 Best Answers 42 Points View Profile Chris Roberts Silver contributor 2021-02-04T09:09:47+01:00Added an answer on February 4, 2021 at 9:09 am Understanding the Purpose of processing (agree with Dave_W_CompClarity) is important here, but also so is the Lawful basis, as retention precedent may exist. In a recent project, my client had simply put 10 years down for all items in the retention column in their EXCEL RoPA – it’s all too easy to swipe down an EXCEL column isn’t it! When I asked them to justify this they couldn’t! I’ve seen retention periods documented separately in a WORD Retention Policy document, but my concern there is that it’s highly likely to become a forgotten document like many others. My advice is that retention periods are held in the RoPA at the very least. Even better, retention periods are held in a GPDR Managment tool that provides far superior dynamic management of GDPR compliance. 0 Reply Share Share Share on Facebook Share on Twitter Share on LinkedIn HellenB 2 Questions 83 Answers 0 Best Answers 79 Points View Profile HellenB Silver contributor 2021-02-03T12:58:33+01:00Added an answer on February 3, 2021 at 12:58 pm To be perfectly honest, this is where DP Organizer as a tool has been invaluable. It has forced us to have a conversation about each data category and purpose and document our decision. It has also enabled some of my clients to bring their policies into line with legal requirements. Where possible, we have also added documentation of research/general practice to justify retention periods. The most difficult thing about retention periods I find is policing them. making sure the operational tools are in place to adhere to retention policies is very difficult. 0 Reply Share Share Share on Facebook Share on Twitter Share on LinkedIn Barry Moult 0 Questions 28 Answers 0 Best Answers 28 Points View Profile Barry Moult Bronze contributor 2021-02-02T18:00:13+01:00Added an answer on February 2, 2021 at 6:00 pm Working in Health in the UK for best practice we mostly follow the NHS Records Management Code of Practice 2016 (due to be updated soon, draft version available) It not only covers health records but also HR , finance and estates. Remember these are minimum retention periods. https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016 0 Reply Share Share Share on Facebook Share on Twitter Share on LinkedIn Dave_Wylie 8 Questions 21 Answers 0 Best Answers 19 Points View Profile Dave_Wylie Bronze contributor 2021-02-02T14:30:31+01:00Added an answer on February 2, 2021 at 2:30 pm Retention is an area that often trips people up and they find hard to implement. The key to this is actually to remember that retention must be tied to the PURPOSE that the data is being processed for. Once that guiding principle is understood, it becomes obvious that it is not as simple as it may seem. You need to consider all the touch points that the data that is being considered under that purpose, is implicated in; systems, access points, legal entities (processors, controllers, joint controllers) etc etc. It will soon become evident that it is difficult to implement a one size fits all approach; fully automated, semi automated, manual as the chances are that it will be a blend of all three. Ideally the ROPA that has been constructed should help in this regard. 0 Reply Share Share Share on Facebook Share on Twitter Share on LinkedIn Leave an answerCancel replyYou must login to add an answer. Username or email* Password* Captcha* What is 5 + 2? Remember Me! Forgot Password?