A fresh look at your data retention policies and practices will help to ensure your organisation remains compliant post Brexit.
It is almost two years since the General Data Protection Regulation (GDPR)1Regulation (EU) 2016/679.
came into force on 25 May 2018. The Data Protection Act (DPA) 2018 came into force on the same day. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 SI No 419 make changes to the GDPR and to the DPA 2018 so that the law continues to function after the UK has left the EU. Therefore, you still need to comply with the relevant requirements. If you spent a lot of effort making sure your organisation was compliant in 2018, you may have heaved a sigh of relief and thought ‘that’s done’, but things can move on without you really noticing. Are you sure you still comply?
Where to start
In my experience, it is rare for one person in an organisation to know all the types of data that it holds and where it is kept. It is important to ask people carrying out key activities what they are actually doing, as that is often different from what you think. You need to be clear that this is an information-gathering exercise to make sure the organisation has compliant procedures in place and that you want to help them be compliant. If they think you are trying to catch them out and punish them, they may be less than totally frank. For example, I found that some caseworkers who were largely working from home providing an outreach advice clinic had been keeping a few paper files at home rather than on the organisation’s digital case management system due to connectivity problems. This raised a short-term issue (to make sure these were kept in locked filing cabinets) as well as a longer-term one, which was to make it easy for them to maintain 100 per cent electronic case recording.
Where to look
Think about IT changes you have made since 2018. Have you changed your case management system? Have you changed your accounting system? Have you started collecting data in a new way? For example, have you started to use a client contact form on your website? What happens to the personal information people put into the form? It transfers to your office and you contact the client, but what happens to the data gathered by the website? It must be somewhere. How long is it retained? How often is it securely destroyed? If your website were to be hacked, the hacker could obtain personal information about your clients and potential clients, so you would want to minimise that risk.
There are many advantages to your data being stored ‘in the cloud’ rather than on a server in your office – but that really means it’s being held on someone else’s physical server in another location. Do you know where that is? It could be anywhere in the world. Do you know what protections are in place?
Review and update
Have you revisited your assessment of the lawful basis on which you hold data? Where you need to obtain consents (for example, for those asking to be included on distribution lists for email updates, marketing, etc), you need to keep records. Are they up to date? You need to inform those whose data you hold (data subjects) of the lawful basis under which you will hold it, what you will use it for, and how long you will hold it. You also need to provide directions about how to complain to the Information Commissioner’s Office (ICO) if a data subject has a problem with the way you handle their information. These things should be covered in your client care letters. But what about staff and potential staff members when you gather data through recruitment exercises?
You may need to review your data retention policies, both hard copy and electronic, including, for example, emails. Have you been complying with them? The ICO would be likely to take a dim view of an organisation that had a breach in respect of data that should have been destroyed under its data retention policy.