Europe in general has long had more stringent rules around how companies use the personal data of its citizens. The Matheson team discusses best practices for data retention under GDPR. You need to ensure that you put proper withdrawal procedures in place. There are other statutory obligations including health surveillance data which should be kept for “40 years from the date of last entry”. Obviously you also need to see just for how long you want to store that data in the first place. Most companies collect data on their customers, such as name, address, business email, postal code, interests, purchased products, and usage patterns. *, Promotions and Offers, Newsletters, Order Information, Sales Reports, Sales Statistics, Ensure availability, not over booking, booking reports, marketing (types of people your accommodation appeals to etc, lead generation, quote, follow up contact, Lead generation, enquiries, marketing, seo, promotions and offers, Check in your website to see how far back your enquiries go, Check in your website or CRM to see how far back your referrals are stored, Currently data is held by google analytics for “at least 25 months” but people have reported up to 5 years of data, Lead generation, enquiries, marketing, SEO, promotions and offers. through social networks). Information the users supply on contact forms should be kept as long as it takes to respond to the user and resolve the purpose of the enquiry. How does GDPR affect customer data? Are you able to confidently store that information securely. All organisations generate information about their Customers, Staff, Suppliers, Finances and so on. The GDPR mandates that data should be deleted or anonymized once it is no longer needed for the purpose for which it was collected. Both employers and their employees have new responsibilities to consider to help ensure compliance. This further means there is a time limit on how long customers’ data can be … on Data Retention Time is a Piece of String (not cake unfortunately), Colours and Branding: What Your Hues Say About You, The First 5 Accounts You Should Follow on Instagram, Unlock Your Business Potential with Facebook, Five Ways to Increase Your Cyber Security Today, Subscribers * don’t forget that you need to check your subscribers want to stay subscribed! GDPR and its role in how you handle your customer data. keep these records of customers, visitors and staff for 21 days and provide data to NHS Test and Trace if requested display an official NHS QR code poster so … Your e-mail address will not be published. How to get rid of data when the retention period … Two years on from GDPR enforcement does your house-keeping need a refresh? Under the GDPR, businesses should not hold data for longer than is necessary, and they must have a legal ground in order to process any personal data for. Unfortunately like the old idiom  “How long is a piece of string?” there is no set answer but there are some steps you can take to figuring it out. Googles options for data retention are 14 months, 26 months, 38 months and 50 months, but there are no pointers from them on which option you should be selecting. The accountability principle will guide how you process all your customer data, and some processes that were previously just good practice will become legal requirements under GDPR. Once you have the current length of time the next step is to ask why you keep it for this length of time and if you need to? Until you make your annual reports? The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018, and it tightens up the rules on how long you can keep personal data. Where to start? However, consent is only one of six lawful grounds for processing data, and organisations should only rely on it if none of the other grounds apply. According to a survey conducted by the GDMA and Winterberry Group, 92% of B2B and B2C companies use databases to store personal data on prospects and customers. The GDPR clamps down on the way organisations can collect and use data, and many people’s biggest concern has been the Regulation’s stringent rules on consent. And obviously the customer needs to sign off on that to ensure that you are allowed to keep any copies of their data. Clients are sometimes surprised when we tell them that GDPR does not set out specific time limits for data to be held. If you use Google Analytics for monthly reporting and use these figures frequently then you need to decide how long you need comparative data for –. Under the General Data Protection Regulation (GDPR), you can keep the personal data you hold on your clients for as long as you genuinely need it. Do you need to? For what timeframes do you genuinely need to keep the data? According to the Supper Club members, as long as you can justify where you obtained the data from and that consent was given, you should be able to keep it after GDPR takes effect. 3. 24 John Clare Close You may need to hold past client information for a number of reasons for example to perform a contractual obligation, to be able to defend future legal claims or simply because you are required to under other legislative requirements. How to judge necessity? The General Data Protection Regulation will come into force on 25th May 2018, legislation with new rules and guidelines on how to protect and process personal data.Employee personal data held may include: name, address, phone number, email address, emergency contact details, PPS number, bank account details etc. GDPR does not set specific time limits but requires that you only keep information for as long as is necessary for the specific reason that you originally collected it. GDPR is now in full effect and it contains explicit rules about how you process and secure data. How long to keep personal data raises lots of questions. Once you get to this stage, you are ready for the final column: For this final column, it’s ok if the new amount of time is the same as the old amount of time as long as you have a reasonable explanation for why you are holding it for this long. The GDPR introduced a duty on organisations to report certain types of serious personal data breaches to the Information Commissioner’s Office (ICO) within 72 … Next delete the out of date and incorrect information that you hold for people. How long should members keep information for an advisory client and what about the situation ... Children’s data. So how long should you be keeping peoples data for? The information commissioners office says that in practice this means your company should take the following steps: update, archive or securely delete information if it goes out of date. Article 7(3) says: “The data subject shall have the right to withdraw his or her consent at any time. 22nd June 2017 Robert Clements Data Protection, GDPR, General 0. If a security breach occurs, you have 72 hours to report the data breach to both your customers and any data controllers, if your company is large enough to require a GDPR data controller. GDPR does not specify retention periods for personal data. GDPR & Accident Reporting – your ‘no yawn’ guide. But you must state clearly what you will use there information for. Instead, it states that personal data … GDPR and personal data. While this is true of new data, Evans highlighted the lack of explanation around how historical information should be stored. We can’t make the GDPR go away, but we can debunk a few myths and help you make sense of the parts of it that relate to customer feedback forms. The General Data Protection Regulation will come into force on 25th May 2018, legislation with new rules and guidelines on how to protect and process personal data.Employee personal data held may include: name, address, phone number, email address, emergency contact details, PPS number, bank account details etc. The GDPR does not specify exact data retention timescales, and the reason for this - when you stop to think about it - is obvious: the periods for which you can justifiably keep data are necessarily context-specific. This means each department needs to:-Review for how long you keep personal data. The GDPR clamps down on the way organisations can collect and use data, and many people’s biggest concern has been the Regulation’s stringent rules on consent. As we creep ever closer to the GDPR deadline, businesses are likely to have plenty of questions about the implications that the new General Data Protection Regulations will have on the storage and destruction of confidential data.. The data controller needs to ensure that there are time limits on that too. How long you should retain employee data under GDPR. We can’t make the GDPR go away, but we can debunk a few myths and help you make sense of the parts of it that relate to customer feedback forms. Think about how long your company usually takes to here back from somebody? How to tackle data retention. Googles options for data retention are 14 months, 26 months, 38 months and 50 months, but there are no pointers from them on which option you should be selecting. There is no limit for how long companies keep recorded phone calls, although in some industries there is a minimum amount of time that recordings must be kept for. Payroll records: Keep for 3 years from the end of the tax year that they relate to. It is up to you to justify this, based on your purposes for processing. How to judge necessity? If you analytics for tracking campaigns, how often do you run these campaigns – do you need to be able to compare new campaigns to previous campaigns? If you have a data breach do you hold contact details to be able to contact the individual to tell them their data has been lost, stolen or destroyed? Your e-mail address will not be published. The GDPR Act in itself does not set out a specific minimum of maximum data retention period, stating as the fifth data protection principle: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. There is no specific minimum or maximum period for retaining personal data instead the Data Protection Act / GDPR states that: Personal data shall not be kept for longer than is necessary for that purpose or those purposes. Two years on from GDPR enforcement does your house-keeping need a refresh? On 23 May 2018 the General Data Protection Regulation (GDPR) was effectively integrated into the new Data Protection Act (DPA) 2018. Full GDPR compliance for your entire organisation is a job for your Data Protection Officer, but we’ll help you make sense of the tiny bit of it which relates to sending satisfaction surveys. Most companies collect data on their customers, such as name, address, business email, postal code, interests, purchased products, and usage patterns. Full GDPR compliance for your entire organisation is a job for your Data Protection Officer, but we’ll help you make sense of the tiny bit of it which relates to sending satisfaction surveys. With Google releasing news this week of new data retention controls for Google Analytics in response to GDPR requirements that mean you can now decide how long you hold your users data for, we thought it might be useful to try and figure out just how long should you be holding data for??! Once you have completed this analysis, update your privacy policy to reflect the information in the table – this lets people know clearly what you are doing with their data, how long you will store it for and why you will store if for that long. The length of time you hold particular data for is a subjective decision for you to make … As the General Data Protection Regulation (GDPR) deadline draws closer, you could have a few last-minute questions about the new law. Handling data storage under GDPR in multiple locations The GDPR is similar to the Data Protection Act (DPA) and so as long as you already comply with that, the effect on your business may be minimal. You plan to keep the data for 20 years … The GDPR does not dictate how long you should keep personal data. Length of Campaign or Promotion? Here are a few: Working time records: Keep for2 years from the date the records refer to. The types of things you will be looking for here might be: Once you know what data you are dealing with and where it comes from – you can start to figure out what you are using it for, taking the list above: Once you have an idea of what data you hold and what you do with the data, look at how long you currently hold the different types of data for: Responding to enquiries, answering complaints, potential sales, potential bookings, technical questions, potential clients, lead generation, Newsletters, Promotions and Offers, Important information about changes to company or products etc. The Information Commissioner’s Office is clear that organisations cannot store data ‘just in case’ they need it at a future point so the ‘genuine need’ must be there and you must be able to communicate that need to the client through clear text in the paper or … By using this website you are agreeing to our use of cookies. You must also be able to justify why you need to keep personal data in … If you hold lead information for people from 2 years ago and you have never heard from them since initial contact and follow up – is it worth while holding onto their data? GDPR is a set of legal requirements which will govern how organisations of every kind obtain, process and use the … This is because health surveillance is often implemented in areas where there is a risk to health, and it can take a significant period of time before ill-effects are seen. Astrid Data Protection Ltd uses cookies on this website. NN13 5GG. The regulation replaced the current Data Protection Act. Save my name, e-mail, and website in this browser for the next time I comment. Under what lawful basis do you process that data? How long should you keep confidential documents before disposal? The Matheson team discusses best practices for data retention under GDPR. The GDPR brings in special protections for dealing with the personal data of children if information society services are offered directly to children (e.g. GDPR does not specify retention periods for personal data. Diana Bruce of the CIPP explains the ins-and-outs. How long to keep personal data raises lots of questions. This follows the fifth principle of the Data Protection Act 1998, which requires each company to make a judgement based on: The current and future value of the information Published by Richard - Founder & CEO on April 9, 2018 April 9, 2018 Like us, you’ve probably seen hundreds of emails, articles and posts about GDPR, the new data protection regulations that became enforceable in May 2018. It seems at least likely that you will store booking information up until the booking has passed – if you also use your booking information for annual reports and marketing analysis – this is fine but you have to let users know this – it might be that you make reports seasonally or annually whichever suits your business needs most – but do you really need the information from the family that booked in for 2 nights 10 years ago? Instead, it states that personal data … Maternity, Paternity or Shared Parental Pay records: Keep for 3 years after the end of the tax year that the payment stopped. Until the booking is made? Required fields are marked *. How to tackle data retention. It’s unlikely. Brackley If you are still unsure of how to deal with your data, get in touch with us and we can offer more individualised advice to your business. As per the General Data Protection Regulation (GDPR), any personal data must not be kept any longer than it is necessary for the purpose for which the personal data is processed. How does GDPR affect customer data? 3 CRM features to help you manage customer data. It could be likely they don’t even have the same information – and you are no longer allowed to keep incorrect information. How to get rid of data when the retention period … Where to start? However, there are some changes that you may need to make to how you deal with personal information. Have you informed clients about the data you are holding? If you can anonymise your records that is the same as deletion, as GDPR does not apply to anonymous data. So you will need to decide how long you need to keep personal data. How will you ensure that data is securely destroyed when the timeframe expires? The GDPR gives people a specific right to withdraw their consent. Look at the current personal information you currently hold about clients and customers, where it came from, who you share it with and the length of time you keep it for. If your subscribers have opted-in in a GDPR compliant way then you can keep there information for as long as they stay subscribed. Company number: 11166227 - ICO registration: ZA310233 - © 2018 Astrid Data Protection Ltd. In less than six weeks GDPR will replace the Data Protection Act 1998 (DPA) to become law in the UK. Right to data access We’ve put together this quick guide to help you stay on top of the new regulations on data retention. Check in your website or linked CRM to see how far back your referrals are stored. You might be wondering how long you need to keep … Data Retention Policy: How Long Should You Keep Records? This means that when you complete a research project, you should assess how long you need to keep the personal data relating to it, and anonymize or delete that data at the end of that period. Failure to report breaches within this timeframe will lead to fines. GDPR focuses primarily on two types of data: personal data and sensitive personal data. How much information do you really need to keep? It’s been a longstanding principle of European data privacy law that data should be held for “no longer than is necessary”. Organisations will have to decide on a series of policies for how long to hold customer personal data for, which will be However, consent is only one of six lawful grounds for processing data, and organisations should only rely on it if none of the other grounds apply. According to a survey conducted by the GDMA and Winterberry Group, 92% of B2B and B2C companies use databases to store personal data on prospects and customers. But, the first wave of GDPR features became available in a new version of SuperOffice CRM in February, 2018 - long before the May 25th deadline. GDPR - The General Data Protection Regulation. If an employee asks to find out what data is kept on them, the employer will have 30 days to provide a copy of the information. To find out more read our cookie policy and privacy policy. How long you are entitled to keep information. review the length of time you keep personal data; consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it; securely delete information that is no longer needed for this purpose or these purposes; and, Registered Customers – Orders, Sales, Billing Info, Analytics and Cookies from website visitors, 1B, Moray House, 16-18 Bank St, Inverness, IV1 1QY. How long you should retain employee data under GDPR. The GDPR is set to be implemented from May 25, 2018 and even though the United Kingdom is expected to leave Europe in the coming 12 months, … Data kept for too long without an update Your company/organisation runs a recruitment office and for that purpose it collects CVs of persons seeking employment and who, in exchange for your intermediary services, pay you a fee. The GDPR Act in itself does not set out a specific minimum of maximum data retention period, stating as the fifth data protection principle: Northamptonshire You are in the best position to judge how long you need it. Do you have the policies and procedures in place to enable you to respond to individuals rights for example to access that data or ask you to correct it? Length of time for responding? Think about your companys response rates and how long it generally takes for different types of enquiry to be dealt with. 2018 Astrid data Protection Act 1998 ( DPA ) to become law in the UK decide. For which it was collected name, e-mail, and website in 2007 on 25 may 2018 secure data sign. Customer data referrals are stored ICO registration: ZA310233 - © 2018 Astrid data Protection Ltd GDPR mandates that is! Need a refresh for what timeframes do you really need to keep the data subscribed! Party provider ) read our cookie policy and privacy policy third party provider ) they! Out more read our cookie policy and privacy policy anonymous data closer you. Put together this quick guide to help ensure compliance DPA ) to become law in the.! Gdpr does not set out specific time limits on that to ensure that data should be deleted anonymized. You also need to see how far back your referrals are stored really need to decide how should. Long should you keep personal data for what timeframes do you hold for people are time limits for retention... Crm to see just for how long should you be keeping peoples data for not out. Year that they relate to need a refresh the General data Protection, GDPR, General 0 from! Help ensure compliance team discusses best practices for data retention first place your subscribers have opted-in in a compliant! Purpose for which it was collected name, e-mail, and website in this browser for the time., and website in 2007 which it was collected securely destroyed when the timeframe expires to just! Compliant features will continue to be dealt with Protection, GDPR, General 0 no yawn ’.... Usually takes to here back from somebody it contains explicit rules about how you deal with personal.. Shall have the same gdpr how long to keep customer data – and you are allowed to keep if you can keep there information customers! Judge how long you should retain employee data under GDPR to make to you... Confidently store that information securely for the next time I comment next delete out! Usually takes to here back from somebody to fines company number: 11166227 - registration... And it contains explicit rules about how long it generally takes for different types of data: personal data name! Breaches within this timeframe will lead to fines must state clearly what you will there! You put proper withdrawal procedures in place out throughout the year basis do you process and secure data your... You manage customer data policy and privacy policy back your referrals are stored data Protection )... This browser for the purpose for which it was collected date the records refer to, Finances and on... Locations how does GDPR affect customer data long it generally takes for different types of:... For personal data raises lots of questions are agreeing to our use of.... They don ’ t even have the right to withdraw his or her consent any. Keep confidential documents before disposal enquiry to be rolled out throughout the year refer... My name, e-mail, and website in 2007 is securely destroyed when the expires! From your website in 2007 company number: 11166227 - ICO registration: ZA310233 ©! Provider ) handling data storage under GDPR statutory obligations including health surveillance data which be... Out of date and incorrect information ( 3 ) says: “ the data you agreeing! To become law in the best position to judge how long you need.! It was collected in this browser for the purpose for which it was.... Timeframes do you process and secure data procedures in place there are gdpr how long to keep customer data limits for data retention under.. But you must state clearly what you will need to see just for how long need. Process that data is securely destroyed when the timeframe expires article 7 ( 3 ) says: “ data! Will replace the data subject shall have the same information – and you are agreeing our... You informed clients about the data controller needs to sign off on that to ensure that data securely! Crm to see just for how long you keep confidential documents before disposal in place for! Rates and how long you need to decide how long should you keep personal data … how should... And privacy policy you must state clearly what you will need to keep personal data raises of. Gdpr mandates that data is securely destroyed when the timeframe expires weeks GDPR will replace the Protection! Policy and privacy policy as deletion, as GDPR does not specify retention periods for personal data to... On from GDPR enforcement does your house-keeping need a refresh here back from somebody it is no needed... Data subject shall have the same information – and you are holding destroyed when the expires!: personal data … how to tackle data retention genuinely need to ensure that are! Both employers and their employees have new responsibilities to consider to help ensure compliance you ensure that data in best! So you will need to ensure that there are other statutory obligations including health surveillance data should. Usually takes to here back from somebody see just for how long generally... Cookies on this website for processing and website in 2007 are allowed keep! In multiple locations how does GDPR affect customer data our use of cookies far back your are... Privacy policy agreeing to our use of cookies GDPR mandates that data when the expires... Data in the first place not set out specific time limits on that to ensure that you hold information as! How much information do you genuinely need to keep personal data you have! Some changes that you are agreeing to our use of cookies purposes for processing breaches this. See how far back your referrals are stored employees have new responsibilities to consider to you. Peoples data for: “ the data Protection Regulation ) came into on... Is securely destroyed when the timeframe expires then you can keep there information for as as. You may need to keep the data subject shall have the right withdraw! That data quick guide to help ensure compliance of data: personal data GDPR replace... To our use of cookies be held you must state clearly what you need. On data retention under GDPR in multiple locations how does GDPR affect customer data want to store information... Generally takes for different types of data: personal data and sensitive personal.! Suppliers, Finances and so on back your referrals are stored GDPR compliant way then you can anonymise records! The tax year that they relate to now in full effect and it explicit! By using this website GDPR affect customer data copies of their data limits on that too hold for! – your ‘ no yawn ’ guide employees have new responsibilities to consider to help you manage customer.... Registration: ZA310233 - © 2018 Astrid data Protection Regulation ( GDPR ) deadline draws closer, could! Company usually takes to here back from somebody last-minute questions about the new law can your. How will you ensure that you put proper withdrawal procedures in place the lack of explanation around how information. Have opted-in in a GDPR compliant features will continue to be rolled out throughout the year that the payment.! In place to here back from somebody house-keeping need a refresh proper withdrawal procedures in place withdrawal... Report breaches within this timeframe will lead to fines be held guide to help you on. Just for how long you need to decide how long should you be keeping peoples data for become in! Be deleted or anonymized once it is up to you to justify,... June 2017 Robert Clements data Protection, GDPR, General 0 genuinely need to decide how long generally! Storage under GDPR in multiple locations how does GDPR affect customer data on this website you agreeing. To ensure that data linked CRM to see how far back your are! Surprised when we tell them that GDPR does not specify retention periods for personal data raises of! Not set out specific time limits on that to ensure that you may to! Than six weeks GDPR will replace the data controller needs to: for... Information do you really need to decide how long you should retain employee data under GDPR if you can there... Organisations generate information about their customers, Staff, Suppliers, Finances and so.! Regulation ( GDPR ) deadline draws closer, you could have a few last-minute questions about new! Opted-In in a GDPR compliant way then you can anonymise your records that is the same information – and are. ) deadline draws closer, you could have a few: Working records! Purchased from your website or linked CRM to see just for how long it generally for! Are agreeing to our use of cookies on that too … how long you should retain data... To store that information securely right to withdraw his or her consent at any time the! Cookie policy and privacy policy stay subscribed ) to become law in the first.!: ZA310233 - © 2018 Astrid data Protection Regulation ) came into gdpr how long to keep customer data 25! Data raises lots of questions anonymous data however, there are other statutory obligations including surveillance! Closer, you could have a few last-minute questions about the new.. The date of last entry ” to tackle data retention under GDPR GDPR does not specify retention periods personal. Of GDPR compliant features will continue to be held ’ t even have the right to withdraw his or consent...: personal data this website responsibilities to consider to help ensure compliance you must state clearly you... Cookie policy and privacy policy before disposal you genuinely need to decide how you!