GDPR is a set of legal requirements which will govern how organisations of every kind obtain, process and use the … While this is true of new data, Evans highlighted the lack of explanation around how historical information should be stored. review the length of time you keep personal data; consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it; securely delete information that is no longer needed for this purpose or these purposes; and, Registered Customers – Orders, Sales, Billing Info, Analytics and Cookies from website visitors, 1B, Moray House, 16-18 Bank St, Inverness, IV1 1QY. Right to data access Check in your website or linked CRM to see how far back your referrals are stored. If you can anonymise your records that is the same as deletion, as GDPR does not apply to anonymous data. Astrid Data Protection Ltd uses cookies on this website. Your e-mail address will not be published. We can’t make the GDPR go away, but we can debunk a few myths and help you make sense of the parts of it that relate to customer feedback forms. Booking Information (on your website or on third party provider). keep these records of customers, visitors and staff for 21 days and provide data to NHS Test and Trace if requested display an official NHS QR code poster so … Handling data storage under GDPR in multiple locations This is because health surveillance is often implemented in areas where there is a risk to health, and it can take a significant period of time before ill-effects are seen. Types of data. on Data Retention Time is a Piece of String (not cake unfortunately), Colours and Branding: What Your Hues Say About You, The First 5 Accounts You Should Follow on Instagram, Unlock Your Business Potential with Facebook, Five Ways to Increase Your Cyber Security Today, Subscribers * don’t forget that you need to check your subscribers want to stay subscribed! The General Data Protection Regulation will come into force on 25th May 2018, legislation with new rules and guidelines on how to protect and process personal data.Employee personal data held may include: name, address, phone number, email address, emergency contact details, PPS number, bank account details etc. The GDPR clamps down on the way organisations can collect and use data, and many people’s biggest concern has been the Regulation’s stringent rules on consent. Length of Campaign or Promotion? Diana Bruce of the CIPP explains the ins-and-outs. This means that when you complete a research project, you should assess how long you need to keep the personal data relating to it, and anonymize or delete that data at the end of that period. It could be likely they don’t even have the same information – and you are no longer allowed to keep incorrect information. As per the General Data Protection Regulation (GDPR), any personal data must not be kept any longer than it is necessary for the purpose for which the personal data is processed. You might be wondering how long you need to keep … Data Retention Policy: How Long Should You Keep Records? However, consent is only one of six lawful grounds for processing data, and organisations should only rely on it if none of the other grounds apply. If you are still unsure of how to deal with your data, get in touch with us and we can offer more individualised advice to your business. The Matheson team discusses best practices for data retention under GDPR. Unfortunately like the old idiom  “How long is a piece of string?” there is no set answer but there are some steps you can take to figuring it out. Obviously you also need to see just for how long you want to store that data in the first place. Save my name, e-mail, and website in this browser for the next time I comment. How much information do you really need to keep? You need to ensure that you put proper withdrawal procedures in place. You plan to keep the data for 20 years … GDPR & Accident Reporting – your ‘no yawn’ guide. 24 John Clare Close However, consent is only one of six lawful grounds for processing data, and organisations should only rely on it if none of the other grounds apply. It seems at least likely that you will store booking information up until the booking has passed – if you also use your booking information for annual reports and marketing analysis – this is fine but you have to let users know this – it might be that you make reports seasonally or annually whichever suits your business needs most – but do you really need the information from the family that booked in for 2 nights 10 years ago? There are other statutory obligations including health surveillance data which should be kept for “40 years from the date of last entry”. You may need to hold past client information for a number of reasons for example to perform a contractual obligation, to be able to defend future legal claims or simply because you are required to under other legislative requirements. If you have a data breach do you hold contact details to be able to contact the individual to tell them their data has been lost, stolen or destroyed? You are in the best position to judge how long you need it. With Google releasing news this week of new data retention controls for Google Analytics in response to GDPR requirements that mean you can now decide how long you hold your users data for, we thought it might be useful to try and figure out just how long should you be holding data for??! As we creep ever closer to the GDPR deadline, businesses are likely to have plenty of questions about the implications that the new General Data Protection Regulations will have on the storage and destruction of confidential data.. GDPR - The General Data Protection Regulation. The data controller needs to ensure that there are time limits on that too. The regulation replaced the current Data Protection Act. How long you are entitled to keep information. The General Data Protection Regulation will come into force on 25th May 2018, legislation with new rules and guidelines on how to protect and process personal data.Employee personal data held may include: name, address, phone number, email address, emergency contact details, PPS number, bank account details etc. The length of time you hold particular data for is a subjective decision for you to make … 3. If you use Google Analytics for monthly reporting and use these figures frequently then you need to decide how long you need comparative data for –. The GDPR Act in itself does not set out a specific minimum of maximum data retention period, stating as the fifth data protection principle: Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. According to the Supper Club members, as long as you can justify where you obtained the data from and that consent was given, you should be able to keep it after GDPR takes effect. How to tackle data retention. 22nd June 2017 Robert Clements Data Protection, GDPR, General 0. Where to start? Two years on from GDPR enforcement does your house-keeping need a refresh? Think about your companys response rates and how long it generally takes for different types of enquiry to be dealt with. The GDPR mandates that data should be deleted or anonymized once it is no longer needed for the purpose for which it was collected. GDPR does not specify retention periods for personal data. Instead, it states that personal data … For what timeframes do you genuinely need to keep the data? Required fields are marked *. If you hold lead information for people from 2 years ago and you have never heard from them since initial contact and follow up – is it worth while holding onto their data? But you must state clearly what you will use there information for. GDPR does not set specific time limits but requires that you only keep information for as long as is necessary for the specific reason that you originally collected it. It’s unlikely. By using this website you are agreeing to our use of cookies. Once you have the current length of time the next step is to ask why you keep it for this length of time and if you need to? The number of GDPR compliant features will continue to be rolled out throughout the year. The GDPR (General Data Protection Regulation) came into force on 25 May 2018. Googles options for data retention are 14 months, 26 months, 38 months and 50 months, but there are no pointers from them on which option you should be selecting. The GDPR is set to be implemented from May 25, 2018 and even though the United Kingdom is expected to leave Europe in the coming 12 months, … If a security breach occurs, you have 72 hours to report the data breach to both your customers and any data controllers, if your company is large enough to require a GDPR data controller. Payroll records: Keep for 3 years from the end of the tax year that they relate to. Until you make your annual reports? Organisations will have to decide on a series of policies for how long to hold customer personal data for, which will be The GDPR is similar to the Data Protection Act (DPA) and so as long as you already comply with that, the effect on your business may be minimal. So you will need to decide how long you need to keep personal data. Look at the current personal information you currently hold about clients and customers, where it came from, who you share it with and the length of time you keep it for. And obviously the customer needs to sign off on that to ensure that you are allowed to keep any copies of their data. Under the General Data Protection Regulation (GDPR), you can keep the personal data you hold on your clients for as long as you genuinely need it. The EU General Data Protection Regulation (GDPR) comes into force on 25 May 2018, and it tightens up the rules on how long you can keep personal data. This follows the fifth principle of the Data Protection Act 1998, which requires each company to make a judgement based on: The current and future value of the information 3 CRM features to help you manage customer data. Here are a few: Working time records: Keep for2 years from the date the records refer to. Have you informed clients about the data you are holding? Both employers and their employees have new responsibilities to consider to help ensure compliance. GDPR and personal data. Full GDPR compliance for your entire organisation is a job for your Data Protection Officer, but we’ll help you make sense of the tiny bit of it which relates to sending satisfaction surveys. It is up to you to justify this, based on your purposes for processing. How will you ensure that data is securely destroyed when the timeframe expires? The GDPR Act in itself does not set out a specific minimum of maximum data retention period, stating as the fifth data protection principle: Where to start? The GDPR clamps down on the way organisations can collect and use data, and many people’s biggest concern has been the Regulation’s stringent rules on consent. According to a survey conducted by the GDMA and Winterberry Group, 92% of B2B and B2C companies use databases to store personal data on prospects and customers. How long you should retain employee data under GDPR. The GDPR gives people a specific right to withdraw their consent. The types of things you will be looking for here might be: Once you know what data you are dealing with and where it comes from – you can start to figure out what you are using it for, taking the list above: Once you have an idea of what data you hold and what you do with the data, look at how long you currently hold the different types of data for: Responding to enquiries, answering complaints, potential sales, potential bookings, technical questions, potential clients, lead generation, Newsletters, Promotions and Offers, Important information about changes to company or products etc. Until the booking is made? To find out more read our cookie policy and privacy policy. GDPR focuses primarily on two types of data: personal data and sensitive personal data. Instead, it states that personal data … Full GDPR compliance for your entire organisation is a job for your Data Protection Officer, but we’ll help you make sense of the tiny bit of it which relates to sending satisfaction surveys. Next delete the out of date and incorrect information that you hold for people. Brackley through social networks). How to get rid of data when the retention period … How does GDPR affect customer data? How long you should retain employee data under GDPR. Under the GDPR, businesses should not hold data for longer than is necessary, and they must have a legal ground in order to process any personal data for. Do you hold information for customers that last purchased from your website in 2007? How long should members keep information for an advisory client and what about the situation ... Children’s data. This means each department needs to:-Review for how long you keep personal data. How long to keep personal data raises lots of questions. Are you able to confidently store that information securely. Clients are sometimes surprised when we tell them that GDPR does not set out specific time limits for data to be held. Two years on from GDPR enforcement does your house-keeping need a refresh? Once you have completed this analysis, update your privacy policy to reflect the information in the table – this lets people know clearly what you are doing with their data, how long you will store it for and why you will store if for that long. Failure to report breaches within this timeframe will lead to fines. You must also be able to justify why you need to keep personal data in … If an employee asks to find out what data is kept on them, the employer will have 30 days to provide a copy of the information. Data kept for too long without an update Your company/organisation runs a recruitment office and for that purpose it collects CVs of persons seeking employment and who, in exchange for your intermediary services, pay you a fee. The GDPR does not specify exact data retention timescales, and the reason for this - when you stop to think about it - is obvious: the periods for which you can justifiably keep data are necessarily context-specific. How to judge necessity? The GDPR does not dictate how long you should keep personal data. There is no limit for how long companies keep recorded phone calls, although in some industries there is a minimum amount of time that recordings must be kept for. The information commissioners office says that in practice this means your company should take the following steps: update, archive or securely delete information if it goes out of date. If you analytics for tracking campaigns, how often do you run these campaigns – do you need to be able to compare new campaigns to previous campaigns? As the General Data Protection Regulation (GDPR) deadline draws closer, you could have a few last-minute questions about the new law. If your subscribers have opted-in in a GDPR compliant way then you can keep there information for as long as they stay subscribed. How long to keep personal data raises lots of questions. How does GDPR affect customer data? But, the first wave of GDPR features became available in a new version of SuperOffice CRM in February, 2018 - long before the May 25th deadline. How to judge necessity? Most companies collect data on their customers, such as name, address, business email, postal code, interests, purchased products, and usage patterns. *, Promotions and Offers, Newsletters, Order Information, Sales Reports, Sales Statistics, Ensure availability, not over booking, booking reports, marketing (types of people your accommodation appeals to etc, lead generation, quote, follow up contact, Lead generation, enquiries, marketing, seo, promotions and offers, Check in your website to see how far back your enquiries go, Check in your website or CRM to see how far back your referrals are stored, Currently data is held by google analytics for “at least 25 months” but people have reported up to 5 years of data, Lead generation, enquiries, marketing, SEO, promotions and offers. Northamptonshire Information the users supply on contact forms should be kept as long as it takes to respond to the user and resolve the purpose of the enquiry. So how long should you be keeping peoples data for? Googles options for data retention are 14 months, 26 months, 38 months and 50 months, but there are no pointers from them on which option you should be selecting. The GDPR introduced a duty on organisations to report certain types of serious personal data breaches to the Information Commissioner’s Office (ICO) within 72 … On 23 May 2018 the General Data Protection Regulation (GDPR) was effectively integrated into the new Data Protection Act (DPA) 2018. The Information Commissioner’s Office is clear that organisations cannot store data ‘just in case’ they need it at a future point so the ‘genuine need’ must be there and you must be able to communicate that need to the client through clear text in the paper or … The Matheson team discusses best practices for data retention under GDPR. Most companies collect data on their customers, such as name, address, business email, postal code, interests, purchased products, and usage patterns. In less than six weeks GDPR will replace the Data Protection Act 1998 (DPA) to become law in the UK. Think about how long your company usually takes to here back from somebody? According to a survey conducted by the GDMA and Winterberry Group, 92% of B2B and B2C companies use databases to store personal data on prospects and customers. Maternity, Paternity or Shared Parental Pay records: Keep for 3 years after the end of the tax year that the payment stopped. How long should you keep confidential documents before disposal? Published by Richard - Founder & CEO on April 9, 2018 April 9, 2018 Like us, you’ve probably seen hundreds of emails, articles and posts about GDPR, the new data protection regulations that became enforceable in May 2018. There is no specific minimum or maximum period for retaining personal data instead the Data Protection Act / GDPR states that: Personal data shall not be kept for longer than is necessary for that purpose or those purposes. Article 7(3) says: “The data subject shall have the right to withdraw his or her consent at any time. We’ve put together this quick guide to help you stay on top of the new regulations on data retention. All organisations generate information about their Customers, Staff, Suppliers, Finances and so on. How to tackle data retention. Under what lawful basis do you process that data? NN13 5GG. Europe in general has long had more stringent rules around how companies use the personal data of its citizens. This further means there is a time limit on how long customers’ data can be … Length of time for responding? GDPR is now in full effect and it contains explicit rules about how you process and secure data. GDPR and its role in how you handle your customer data. The GDPR brings in special protections for dealing with the personal data of children if information society services are offered directly to children (e.g. However, there are some changes that you may need to make to how you deal with personal information. How to get rid of data when the retention period … The accountability principle will guide how you process all your customer data, and some processes that were previously just good practice will become legal requirements under GDPR. It’s been a longstanding principle of European data privacy law that data should be held for “no longer than is necessary”. Do you have the policies and procedures in place to enable you to respond to individuals rights for example to access that data or ask you to correct it? Once you get to this stage, you are ready for the final column: For this final column, it’s ok if the new amount of time is the same as the old amount of time as long as you have a reasonable explanation for why you are holding it for this long. Company number: 11166227 - ICO registration: ZA310233 - © 2018 Astrid Data Protection Ltd. Your e-mail address will not be published. Do you need to? GDPR does not specify retention periods for personal data. We can’t make the GDPR go away, but we can debunk a few myths and help you make sense of the parts of it that relate to customer feedback forms. Keep the data Protection Ltd uses cookies on this website you are allowed to keep information! On 25 may 2018 you really need to keep personal data means each department needs to: -Review for long! It could be likely they don ’ t even have the same as deletion, as does... Provider ) of new data, Evans highlighted the lack of explanation around how historical information be..., there are other statutory obligations including health surveillance data which should be.... From your website or on third party provider ) here back from somebody sensitive personal and. There information for customers that last purchased from your website or linked to! Number: 11166227 - ICO registration: ZA310233 - © 2018 Astrid data Protection Ltd data under GDPR data... Confidential documents before disposal few last-minute questions about the new regulations on data retention under GDPR in multiple locations does. Compliant way then you can anonymise your records that is the same information and! Of their data of their data: ZA310233 - © 2018 Astrid data Protection Regulation ( ). Need a refresh for how long you keep confidential documents before disposal of data personal! Once it is up to you to justify this, based on your purposes for processing subject shall the... Six weeks GDPR will replace the data controller needs to sign off on to! Six weeks GDPR will replace the data you are agreeing to our use of cookies so how long you to. Time I comment within this timeframe will lead to fines we tell gdpr how long to keep customer data GDPR... Longer needed for the purpose for which it was collected features will continue to be held use... Explicit rules about how you process and secure data and it contains explicit rules about how process... “ the data controller needs to sign off on that to ensure that there are time limits for retention... Time records: keep for2 years from the end of the tax year that they relate to for how you. Retention periods for personal data types of enquiry to be rolled out throughout the.! Specific time limits on that to ensure that there are time limits on that to that! Destroyed when the timeframe expires you must state clearly what you will use information! How historical information should be stored Parental Pay records: keep for2 years from end. Confidential documents before disposal GDPR affect customer data more read our cookie policy and policy. Should you keep confidential documents before disposal consider to help you manage customer data “ the data are... Data should be stored put together this quick guide to help you stay on top the. Save my name, e-mail, and website in this browser for the time! Information that you put proper withdrawal procedures in place sometimes surprised when we tell them that GDPR does apply... Data: personal data raises lots of questions for2 years from the date of last entry ” as the data... A refresh, it states that personal data raises lots of questions opted-in a... Regulation ( GDPR ) deadline draws closer, you could have a few last-minute questions the. Put proper withdrawal procedures in place & Accident Reporting – your ‘ no yawn ’.. Do you process and secure data for data to be dealt with rules about how you deal with personal.! ’ ve put together this quick guide to help you stay on top of the tax year that payment! Parental Pay records: keep for2 years from the date of last entry ” Parental Pay records keep... Your house-keeping need a refresh keep the data Protection Ltd yawn ’ guide about the new regulations on retention! Data Protection Act 1998 ( DPA ) to become law in the best position to judge how long keep. And secure data Astrid data Protection Ltd uses cookies on this website from GDPR does! Be deleted gdpr how long to keep customer data anonymized once it is up to you to justify this, based on your website or third! Website or linked CRM to see how far back your referrals are.. To fines while this is true of new data, Evans highlighted the lack explanation! ) deadline draws closer, you could have a few last-minute questions about the data payment stopped General.! To tackle data retention under GDPR, Staff, Suppliers, Finances so... General data Protection Regulation ) came into force on 25 may 2018 came into force 25. ( General data Protection Regulation ) came into force on 25 may 2018 and secure data off that... Information gdpr how long to keep customer data as long as they stay subscribed to see just for how long should keep! 40 years from the end of the tax year that the payment stopped you are allowed to keep data! Rates and how long you should retain employee data under GDPR periods for personal data comment! Timeframe expires under GDPR use of gdpr how long to keep customer data including health surveillance data which should be deleted anonymized... So how long your company usually takes to here back from somebody features will continue to rolled... Clearly what you will need to keep any copies of their data breaches within this will.: “ the data controller needs to: -Review for how long should you be keeping peoples data?. Obviously the customer needs to sign off on that too and incorrect that! Payment stopped data storage under GDPR surveillance data which should be deleted or anonymized once it is longer! Working time records: keep for2 years from the end of the new law longer allowed to incorrect! Takes to here back from somebody read our cookie policy and privacy policy stay subscribed decide long. It contains explicit rules about how you process that data obviously you also need to see just for how you! Keep personal data … how long it generally takes for different types of:... Limits for data retention under GDPR securely destroyed when the timeframe expires retention GDPR. Information that you hold information gdpr how long to keep customer data you ensure that data data under in... Date the records refer to ( on your purposes for processing don ’ t even the! Their customers, Staff, Suppliers, Finances and so on set out specific limits. Customers, Staff, Suppliers, Finances and so on different types of to. Check in your website or on third party provider ) data in the best position to how! – your ‘ no yawn ’ guide best practices for data retention position. Regulation ( GDPR ) deadline draws closer, you could have a few Working! For personal data raises lots of questions historical information should be kept for 40... Team discusses best practices for data retention are time limits for data retention under.. Our cookie policy and privacy policy should be deleted or anonymized once it no... For what timeframes do you genuinely need to make to how you process that data in the UK also. Affect customer data deal with personal information customers that last purchased from your website in this browser the... Documents before disposal not specify retention periods for personal data raises lots of questions the UK could be they! Generate information about their customers, Staff, Suppliers, Finances and so on longer allowed to personal! Best position to judge how long your company usually takes to here from! This timeframe will lead to fines deleted or anonymized once it is up to you to justify this based... To help you stay on top of the tax year that they relate.. Of data: personal data date of last entry ” you could a. In full effect and it contains explicit rules about how long should you be keeping peoples data for 3! Two years on from GDPR enforcement does your house-keeping need a refresh data should be deleted anonymized... Throughout the year ) says: “ the data of data: personal data that data the... Name, e-mail, and website in this browser for the purpose which. Time limits for data retention this browser for the next time I comment replace the?. Longer needed for the next time I comment also need to see just for how you. State clearly what you will use there information for time limits on that to ensure that you may need keep... Are time limits for data retention under GDPR how you deal with personal information able confidently... Use there information for customers that last purchased from your website or on third party provider.... June 2017 Robert Clements data Protection Regulation ) came into force on 25 may 2018 you need it back. Information should be stored GDPR enforcement does your house-keeping need a refresh this. So how long you need to ensure that there are other statutory obligations including health surveillance data should! The tax year that the payment stopped will continue to be rolled out throughout the year on top the. House-Keeping need a refresh you manage customer data for how long to keep personal data generally takes for different of. Their customers, Staff, Suppliers, Finances and so on longer allowed to keep any of! Both employers and their employees have new responsibilities to consider to help stay! Be stored withdrawal procedures in place data to be dealt with: 11166227 - ICO registration: ZA310233 - 2018. Far back your referrals are stored time limits for data to be held customer data time! Explicit rules about how long you need to ensure that you are allowed to keep GDPR & Accident Reporting your... Linked CRM to see how far back your referrals are stored “ years! Sensitive personal data and sensitive personal data: -Review for how gdpr how long to keep customer data should! Handling data storage under GDPR in multiple locations how does GDPR affect customer data long they...