What is this data retention policy?
Company’s internal document: This data retention policy template sets out how long different types of records and data can be held by your business. Most businesses keep personal data for as long as it serves the purpose for which it was collected, but having a data retention policy in place keeps track of different categories of data, what they’re collected and used for, and acts as a useful resource for when data reviews occur.
Importance: Complying with data protection laws in the UK is a particularly important part of the day-to-day running of your business. Two of the key principles of UK data protection laws are storage limitation and data minimisation. This means that personal data should only be kept by your business for as long as it is necessary to achieve a particular purpose. It is critical to have a data retention policy in place to be able to achieve these principles - but why is that so important?
- Risk to reputation: Mismanaged data protection practices can lose the hard-earned trust of your customer base - having a clear policy in place reduces this risk;
- High-value fines £: In the event of a data breach or other non-compliance with data protection laws, your business could be exposed to multi-million pound fines and legal action - holding on to too much data for longer than it is needed increases the risk of a data breach;
- Regulatory investigations: Data breaches can lead to an ICO (the data protection regulator in the UK) investigation. In the event of an investigation, internal policies and procedures can be key to demonstrating that a business is complying with its obligations under UK data protection laws; and
- Practical steps: A clear data retention policy that sets out defined retention periods for different types of data and records, will lead to a consistent approach to data retention across your business.
When to use our data retention policy template: You would use this data retention policy template where you collect any personal information about any living individuals - whether that is your staff, customers, suppliers, shareholders or others. Given that practically speaking all businesses will process some personal data (even if it only relates to their staff), every business should have a data retention policy as a means of ensuring that it only keeps data for as long as it is necessary (as required by data protection laws). You should not use this document to set out policies and procedures for, or obligations on staff on how to approach, data processing generally - our data protection policy should be used as well.
What matters does this data retention policy template cover?
High-quality model clauses: Docue’s dynamic data retention policy template covers, among other things, the following matters:
- Data protection principles - the key principles of UK data protection laws that relate to data retention and how your business can satisfy them;
- Clear retention periods - a schedule can be included that sets out the retention periods that apply to different types of data (and the rationale for choosing those periods). Including these periods will help your company demonstrate its accountability requirements under data protection laws, and lead to better consistency across the organisation in how long data is held for;
- Who to contact with questions about the policy - whether there is a formal data protection officer in place, or another person responsible for data protection compliance within your business; and
- A process for reviewing the policy - a clear process for ensuring the policy remains up to date and reflects your current business operations.
Source of information for staff: A key reason for having a data retention policy is to provide information for staff on the actions they should take to enable the business to be and remain compliant with data protection laws. This includes who to contact if they have questions and how long different types of personal data should be kept.
We support you through the drafting: Docue’s platform allows you to create and store a compliant data retention policy at the touch of a button using a lawyer-grade template as a starting point and automated guidelines to steer you in the right direction from start to finish.
Easily customisable: You can easily amend Docue’s data retention policy to fit your organisation's requirements, so that it is adapted to your business operations.
Tags: data retention policy, retention schedule, data retention policy template, data retention schedule, records retention, UK GDPR