GDPR Data Retention rules state that personal data should never be retained longer than strictly necessary to accomplish the set business purpose. This is of course a good thing to ensure everyone’s privacy as data that is deleted can no longer be (mis)used, exposed, hacked etc.
- Legislation in most EU member countries states that bookkeeping documents (e.g. invoices) should be kept for a period of 7 years. So the retention period here is 7 years or longer if any legal action is pending.
- After interviewing job candidates one should remove the personal data of those applicants that are not being retained, unless you gather consent from the applicant to remain on file for a specific period in order to be considered for a future position.
- When terminating a contract with an employee, the data should only be retained for as long as the local labour law prescribes and any potential legal action is pending.
You should make sure your firm has the right processes in place to ensure the personal data of its customers is removed or anonymised periodically. If your systems allow for automated removal of end-of-life data (e.g. log files that are automatically deleted after 6 weeks) be sure to leverage those capabilities. If no such automation is available to you, you should implement a manual process, taking into account the below:
- Periodically assess which prospect or customer entities have been inactive for long enough that the data should be removed from your systems
- If your system has no built-in delete function you should contact the software vendor. If no delete function is available to you, you should proceed to anonymise all personal data which forms part of those end-of-life entities e.g. people’s name, address, phone numbers, communications etc.
Also note that GDPR requires appropriate access control to be in place at all times. When a personal data file would no longer be relevant for the day-to-day e.g. an employee has left the company, the file should be archived and the access control should change so that less people have access as that is appropriate with its new relevance to the firm.