The direct hazards of non-compliance with GDPRJune 21, 2018
CCTV and GDPR – what you need to know to be GDPR compliantJuly 4, 2018
Attending a GDPR training session may not be on your summer’s bucket list but as the legislation begins to be better understood, and organisations start to get to grips with the impacts of the legislation, you may find out that knowing more rather than less will be a positive step for you and your organisation. The good news is that the more we have worked with businesses to support achieving and retaining their GDPR compliance the more business positives we have to report.
Storing historic personal dataOne of these positives relates to the storage of historic personal data in paper form or, as it is otherwise known, that cupboard full of archive boxes of customer records going back to the beginning of time. These historic files, which many SMEs have stored forever for some sort of posterity, are probably not needed. What’s more, they may also represent a breach of the General Data Protection Regulation (GDPR).
ICO advice on personal data storageThe ICO advice on personal data storage is that you must not keep it for ‘longer then you need it’. You need to really be able to justify how long you keep it and this will depend on your purpose for holding the data.
Through your data mapping and implementation journey you will hopefully have captured retention periods for certain types of data. These will be in line with business and industry needs. We recognise that the length of this period will vary between organisations and industry, but if in any doubt you may want to contact the ICO to verify your thinking.
Genuine purpose for holding personal dataYou might have a valid purpose for holding the information, for example it is industry best practice to retain evidence of work in case of future claims. But if you’re struggling to think of a genuine purpose for holding the data then you probably need to dispose of it. Your data mapping exercise should also have identified the purpose for keeping information.
Based on our experiences we believe there are many companies out there with cupboards, or even rooms, full of dusty company files, that there is simply no need to keep. So what a great time it is for a clear out. This file eradication process can not only create space but help keep the office more tidy and hopefully stop further boxes piling up elsewhere!
Have a clear out!If this sounds like your company then we suggest you consider undertaking the following:
- Identify the hard copy files that fall outside of the justified data retention justification.
- Double check the files are what they are described as. Are they what they say they are on the box?
- Arrange for secure shredding of these. You may have a company shredder but this could be time for a bulk secure shredding service.
- Set up a review process to ensure that, on a periodical basis that is practical and reasonable for your organisation, a secure purge of hard copy files is undertaken.
Storing data with the ‘just in case mentality’ can now be reversed to ‘do we really need to’ and that can lead to clearer thinking and clearer offices.
Find out more about how long you can keep past client data under GDPR and about the postives of GDPR.