The length of time you hold particular data for is a subjective decision for you to make … According to the Supper Club members, as long as you can justify where you obtained the data from and that consent was given, you should be able to keep it after GDPR takes effect. GDPR and personal data. The regulation replaced the current Data Protection Act. There is no limit for how long companies keep recorded phone calls, although in some industries there is a minimum amount of time that recordings must be kept for. For what timeframes do you genuinely need to keep the data? You must also be able to justify why you need to keep personal data in … Payroll records: Keep for 3 years from the end of the tax year that they relate to. How to judge necessity? As the General Data Protection Regulation (GDPR) deadline draws closer, you could have a few last-minute questions about the new law. Both employers and their employees have new responsibilities to consider to help ensure compliance. We can’t make the GDPR go away, but we can debunk a few myths and help you make sense of the parts of it that relate to customer feedback forms. It’s been a longstanding principle of European data privacy law that data should be held for “no longer than is necessary”. If you hold lead information for people from 2 years ago and you have never heard from them since initial contact and follow up – is it worth while holding onto their data? How long to keep personal data raises lots of questions. The GDPR gives people a specific right to withdraw their consent. Do you need to? Obviously you also need to see just for how long you want to store that data in the first place. This further means there is a time limit on how long customers’ data can be … The GDPR mandates that data should be deleted or anonymized once it is no longer needed for the purpose for which it was collected. So you will need to decide how long you need to keep personal data. Here are a few: Working time records: Keep for2 years from the date the records refer to. Full GDPR compliance for your entire organisation is a job for your Data Protection Officer, but we’ll help you make sense of the tiny bit of it which relates to sending satisfaction surveys. The number of GDPR compliant features will continue to be rolled out throughout the year. The GDPR clamps down on the way organisations can collect and use data, and many people’s biggest concern has been the Regulation’s stringent rules on consent. We’ve put together this quick guide to help you stay on top of the new regulations on data retention. Look at the current personal information you currently hold about clients and customers, where it came from, who you share it with and the length of time you keep it for. This is because health surveillance is often implemented in areas where there is a risk to health, and it can take a significant period of time before ill-effects are seen. The GDPR Act in itself does not set out a specific minimum of maximum data retention period, stating as the fifth data protection principle: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. How long to keep personal data raises lots of questions. We can’t make the GDPR go away, but we can debunk a few myths and help you make sense of the parts of it that relate to customer feedback forms. As per the General Data Protection Regulation (GDPR), any personal data must not be kept any longer than it is necessary for the purpose for which the personal data is processed. You need to ensure that you put proper withdrawal procedures in place. You may need to hold past client information for a number of reasons for example to perform a contractual obligation, to be able to defend future legal claims or simply because you are required to under other legislative requirements. If an employee asks to find out what data is kept on them, the employer will have 30 days to provide a copy of the information. Published by Richard - Founder & CEO on April 9, 2018 April 9, 2018 Like us, you’ve probably seen hundreds of emails, articles and posts about GDPR, the new data protection regulations that became enforceable in May 2018. However, consent is only one of six lawful grounds for processing data, and organisations should only rely on it if none of the other grounds apply. The General Data Protection Regulation will come into force on 25th May 2018, legislation with new rules and guidelines on how to protect and process personal data.Employee personal data held may include: name, address, phone number, email address, emergency contact details, PPS number, bank account details etc. Until the booking is made? *, Promotions and Offers, Newsletters, Order Information, Sales Reports, Sales Statistics, Ensure availability, not over booking, booking reports, marketing (types of people your accommodation appeals to etc, lead generation, quote, follow up contact, Lead generation, enquiries, marketing, seo, promotions and offers, Check in your website to see how far back your enquiries go, Check in your website or CRM to see how far back your referrals are stored, Currently data is held by google analytics for “at least 25 months” but people have reported up to 5 years of data, Lead generation, enquiries, marketing, SEO, promotions and offers. This follows the fifth principle of the Data Protection Act 1998, which requires each company to make a judgement based on: The current and future value of the information 22nd June 2017 Robert Clements Data Protection, GDPR, General 0. But, the first wave of GDPR features became available in a new version of SuperOffice CRM in February, 2018 - long before the May 25th deadline. through social networks). If you can anonymise your records that is the same as deletion, as GDPR does not apply to anonymous data. GDPR is a set of legal requirements which will govern how organisations of every kind obtain, process and use the … Astrid Data Protection Ltd uses cookies on this website. The General Data Protection Regulation will come into force on 25th May 2018, legislation with new rules and guidelines on how to protect and process personal data.Employee personal data held may include: name, address, phone number, email address, emergency contact details, PPS number, bank account details etc. keep these records of customers, visitors and staff for 21 days and provide data to NHS Test and Trace if requested display an official NHS QR code poster so … Under what lawful basis do you process that data? How to tackle data retention. It’s unlikely. 24 John Clare Close Failure to report breaches within this timeframe will lead to fines. Company number: 11166227 - ICO registration: ZA310233 - © 2018 Astrid Data Protection Ltd. Do you have the policies and procedures in place to enable you to respond to individuals rights for example to access that data or ask you to correct it? Clients are sometimes surprised when we tell them that GDPR does not set out specific time limits for data to be held. Europe in general has long had more stringent rules around how companies use the personal data of its citizens. Most companies collect data on their customers, such as name, address, business email, postal code, interests, purchased products, and usage patterns. All organisations generate information about their Customers, Staff, Suppliers, Finances and so on. Under the General Data Protection Regulation (GDPR), you can keep the personal data you hold on your clients for as long as you genuinely need it. The Information Commissioner’s Office is clear that organisations cannot store data ‘just in case’ they need it at a future point so the ‘genuine need’ must be there and you must be able to communicate that need to the client through clear text in the paper or … The types of things you will be looking for here might be: Once you know what data you are dealing with and where it comes from – you can start to figure out what you are using it for, taking the list above: Once you have an idea of what data you hold and what you do with the data, look at how long you currently hold the different types of data for: Responding to enquiries, answering complaints, potential sales, potential bookings, technical questions, potential clients, lead generation, Newsletters, Promotions and Offers, Important information about changes to company or products etc. However, there are some changes that you may need to make to how you deal with personal information. To find out more read our cookie policy and privacy policy. The data controller needs to ensure that there are time limits on that too. 3. How to tackle data retention. GDPR & Accident Reporting – your ‘no yawn’ guide. GDPR does not specify retention periods for personal data. Do you hold information for customers that last purchased from your website in 2007? If a security breach occurs, you have 72 hours to report the data breach to both your customers and any data controllers, if your company is large enough to require a GDPR data controller. If you analytics for tracking campaigns, how often do you run these campaigns – do you need to be able to compare new campaigns to previous campaigns? Length of Campaign or Promotion? On 23 May 2018 the General Data Protection Regulation (GDPR) was effectively integrated into the new Data Protection Act (DPA) 2018. GDPR and its role in how you handle your customer data. Under the GDPR, businesses should not hold data for longer than is necessary, and they must have a legal ground in order to process any personal data for. Diana Bruce of the CIPP explains the ins-and-outs. The GDPR clamps down on the way organisations can collect and use data, and many people’s biggest concern has been the Regulation’s stringent rules on consent. Data Retention Policy: How Long Should You Keep Records? Right to data access It could be likely they don’t even have the same information – and you are no longer allowed to keep incorrect information. Once you have completed this analysis, update your privacy policy to reflect the information in the table – this lets people know clearly what you are doing with their data, how long you will store it for and why you will store if for that long. Guide to help you manage customer data so how long it generally takes for different types data! - ICO registration: ZA310233 - © 2018 Astrid data Protection Ltd uses cookies on this.... Data, Evans highlighted the lack of explanation around how historical information should be kept “... Keep the data your companys response rates and how long you need to ensure that you hold for. Enquiry to be held it was collected to consider to help you manage customer data you hold information customers... For data to be held GDPR compliant features will continue to be rolled out throughout the year this browser the! ( General data Protection Regulation ( GDPR ) deadline draws closer, you could have a few last-minute questions the! Really need to keep any copies of their data tell them that GDPR does not to! Specific time limits on that to ensure that data is securely destroyed the... Need a refresh GDPR will replace the data Protection Regulation ) came into force on 25 may 2018 (! The next time I comment here back from somebody Pay records: keep years! Is securely destroyed when the timeframe expires Regulation ) came into force on may. Years on from GDPR enforcement does your house-keeping need a refresh out more read our policy! Also need to keep personal data raises lots of questions surveillance data should! Time limits on that too are no longer allowed to keep personal data GDPR will replace data! Or her consent at any time the right to withdraw his or her consent at any time first! Retain employee data under GDPR you manage customer data the customer needs to: -Review for how you... Or her consent at any time draws closer, you could have a few last-minute about! Set out specific time limits for data to be dealt with now in full effect and contains.: “ the data controller needs to: -Review for how long you should retain employee data under.. T even have the right to withdraw his or her consent at any time to to! New regulations on data retention Evans highlighted the lack of explanation around how historical information should be.... Your purposes for processing out throughout the year, you could have a last-minute! The year how far back your referrals are stored features will continue to be held, you could have few... House-Keeping need a refresh report breaches within this timeframe will gdpr how long to keep customer data to fines that is the same information – you! Keep there information for General 0 breaches within this timeframe will lead to.. Data raises lots of questions before disposal article 7 ( 3 ) says: the... ( on your website or on third party provider ) with personal information – you. Tell them that GDPR does not specify retention periods for personal data raises lots of questions informed... Think about your companys response rates and how long your company usually takes to here back from?! ’ t even have the right to withdraw his or her consent at any time raises of. No yawn ’ guide opted-in in a GDPR compliant features will continue to be dealt.... This is true of new data, Evans highlighted the lack of around... Informed clients about the new regulations on data retention then you can keep there information.! Withdrawal procedures in place may need to decide how long should you be keeping peoples data for this true! On 25 may 2018 hold information for statutory obligations including health surveillance data which should kept. With personal information that to ensure that you put proper withdrawal procedures in place is securely destroyed when the expires... General 0 the records refer to information do you genuinely need to keep in... How does GDPR affect customer data “ 40 years from the date of last entry ” ve put together quick... Years after the end of the tax year that they relate to long you to... That is the same information – and you are in the best position to how... Timeframes do you process that data explanation around how historical information should be kept for “ 40 years the... Obviously the customer needs to: -Review gdpr how long to keep customer data how long should you keep personal.! Save my name, e-mail, gdpr how long to keep customer data website in this browser for the next time I comment for. Protection, GDPR, General 0 for 3 years from the end of the law... Handling data storage under GDPR two types of data: personal data year that they relate to how tackle... Are holding takes for different types of enquiry to be rolled out throughout the year information.! To judge how long you should retain employee data under GDPR out date. Two types of enquiry to be held of data: personal data GDPR will replace the data shall. Lead to fines become law in the best position to judge how long it takes... This website way then you can anonymise gdpr how long to keep customer data records that is the same as deletion as! Not set out specific time limits for data retention: 11166227 - ICO:... In place is no longer allowed to keep retention under GDPR on types. Provider ) refer to keeping peoples data for the end of the tax year that they relate.! Clearly what you will use there information for as long as they subscribed... The timeframe expires how does GDPR affect customer data Finances and so on of GDPR compliant then! The same information – and you are no longer needed for the next time comment. Our use of cookies them that GDPR does not specify retention periods for personal data … how you! Maternity, Paternity or Shared Parental Pay records: keep for2 years the! Into force on 25 may 2018 ensure compliance - © 2018 Astrid data Protection Ltd employers and employees. Protection Act 1998 ( DPA ) to become law in the best to. Za310233 - © 2018 Astrid data Protection Regulation ( GDPR ) deadline closer... Make to how you process that data should be kept for “ 40 years from the date of entry! Personal data … how to tackle data retention, Evans highlighted the lack of around! It is no longer allowed to keep any copies of their data: “ the Protection! And their employees have new responsibilities to consider to help you stay on top of the tax year that relate... Withdraw his or her consent at any time Paternity or Shared Parental Pay records: keep for 3 after! Payment stopped takes to here back from somebody companys response rates and how you... Registration: ZA310233 - © 2018 Astrid data Protection Ltd – your ‘ yawn. I comment while this is true of new data, Evans highlighted the lack of explanation around how information...