page-banner

Practice Areas

Data retention policy

Do you need advice on a data retention policy? EM Law are experts in drafting and advising on data retention policies. Our lead data protection lawyer is Neil Williamson who has extensive experience in advising clients on a wide range of data protection matters.

On 25 May 2018 the General Data Protection Regulation (GDPR) came into force. The GDPR ushered in a number of changes to data protection, including new requirements for organisations to deal with around data retention.

What is a data retention policy?

A data retention policy is a document which sets out how an organisation classifies and manages the retention and disposal of its information. A data retention policy will usually cover all types and formats of data, including hard copy and electronic documents, emails, records, and digital media. Data retention policies also generally cover data that is held by third parties on an organisation’s behalf, such as cloud storage providers or offsite records storage.

Why do I need a data retention policy?

To comply with data protection legal requirements, an organisation needs to establish and document standard retention periods for different categories of information held. It is also advisable that organisations have a system for ensuring that these retention periods are kept to and are reviewed at regular intervals. 

How do I create a data retention policy?

The data retention policy itself will set out the guiding principles for records management and data retention. The policy will, for example, set out the roles and responsibilities of those at the organisation and classify the types of data that they might encounter.

The actual time periods for retention will then be set out in a record retention schedule. This schedule will list the categories of documents that employees typically create and receive, as well as those that they infrequently handle. The record will then set out the retention period and explain the reason behind it.

What time limits should I include in a data retention policy?

Organisations should be aware that there are legal and regulatory requirements to retain certain data for a specified amount of time. A member of staff’s passport details, for example, must be kept for two years from the date on which they leave if the passport details were collected as evidence of that individual’s right to work in the UK. For other retention periods it may be useful to consider any relevant industry standards or guidelines, or whether you may need to keep information to defend possible future legal claims. You must also remember to take a proportionate approach to setting retention periods and ensure that your policy does not disproportionately impact on an individuals privacy.

If you are looking for assistance with drafting your data retention policy or want advice on data protection or GDPR more generally contact Neil Williamson.

EM Law Neil Williamson

Make An Enquiry

Reviews

Make An Enquiry Now

Please call us now on 0203 637 6374 or Make An Online Enquiry and we will soon be in touch with you

Close

Make An Enquiry

Can We Help You?

We are here to help with any of your questions.
Just click "Yes" below.

Yes
No
+

Please enter your question below

Send Your Question

Please enter your name and email address so than we can send you a response

Thank You!

Technical issue

Thank you for sending us your question. We will contact you shortly to discuss this.

Sorry, there is a technical issue. Please contact us by telephone: 0203 637 6374

Close