The importance of a data retention policy for GDPR and for your business

28 Aug 2018

Data retention is crucial for General Data Protection Regulation (GDPR) compliance and business data security. For example, BackupVault keeps up to 60 days of its own business data secure and accessible, which suits the industry we operate in, and the type and volume of data we create.

For some businesses and organisations, though, this isn’t enough. Those operating in the finance sector, for example, will need to securely store – and ensure swift access to – transactional data from several years ago. And they will often look to a trusted provider to help them develop a robust and industry-appropriate data retention policy. This will include an appropriate data-retention period, ensure a key aspect of GDPR compliance, and provide the business and its customers with simple and secure access to the data it generates.

What is a data retention policy?

A data retention policy is a business or organisation’s established protocol for retaining information that supports its operations and/or supports regulatory compliance. Wherever possible, it should adhere to data retention best practices, and for UK and EU businesses it will be a key part of their GDPR compliance strategy. Often, data retention practices will involve secure cloud backups to protect customer and transactional data.

What should your data retention period be?

There are no hard and fast rules for the period of time you retain data, but it must be appropriate to the sector you operate in, and not mean you’re simply holding data because you don’t know what else to do with it – or ‘might need it one day’. You must clearly set out your data retention period, along with rationale, in your data retention policy.

Data retention policy and GDPR

Now GDPR is in full effect, businesses have clearer guidelines on how long they retain customers’ personal data for. Aspects of customers’ financial data, for example, will need keeping for longer periods, and with stricter security, than other types of data that simply support targeted marketing campaigns. And when it’s no longer needed, it must be deleted securely from a business’ systems and databases. Businesses must have a GDPR compliant backup system and also be able to delete a customer’s data on request if they no longer require a product or service, under the ‘right to be forgotten’ rule.

This also reduces the amount of out-of-date and irrelevant data lying around in business’ databases. GDPR is designed to instil efficiency and accuracy, as well as protect consumers’ rights over how their data is held and used.

A key thing to note here – and a central theme in GDPR as a whole – is that all businesses holding customer data must be fully transparent about precisely what data they have, what it is used for, and how long they will hold it.

Creating an effective data retention policy

An effective and GDPR compliant data retention policy needn’t be overly complicated or expensive to achieve, and there’s plenty of expert help out there from providers like BackupVault, who prepared for GDPR well in advance of its implementation.

In creating your data retention policy, it can be useful to understand some of the data retention best practices that storage and cloud backup providers have identified and adopted, and to learn more about the essentials of data retention regulations. BackupVault can help with this, and also ensure you have the best backup solutions in place for your business and customers.

In the meantime, here are a few things to consider in creating a data retention policy in line with your business activities…

GDPR is all about accountability as well as transparency, so set out the categories of data your policy will cover, what the terms are, and who holds responsibilities and obligations to oversee and enforce them. Whoever deals with Human Resources, for example, will need a specific policy for retention periods regarding specifics of personal data, and base these on a viable business-related reason for holding it. It’s typical to delete records relating to recruitment within six months of successfully filling a vacancy – and you’ll need to make this clear in your GDPR-compliant data retention policy.

It can also be really helpful to understand the legal basis for retaining each category of personal data, and any relevant stipulations for storing special categories of data, such as criminal records, health data or other sensitive or personal information. In short, as well as being outwardly transparent about their data retention policy and procedures, businesses should also make them easy to understand and enforce.

Advantages of cloud-based data retention

Okay. Let’s get back to how you store and secure the data you hold. What is the most effective way to keep data safe, manageable and accessible – in line with your data retention policy, and with GDPR compliance? Well, cloud backups fit the bill in several key ways…

For one, they provide an off-site, non-physical back up, so they protect data you hold against any hard-drive or in-house server failures. If something does go wrong in the office, you know your customers’ data is safe and sound in the cloud. This also makes recovery of data to your systems much faster. This is why cloud backups are increasingly popular under GDPR.

An obvious but crucial benefit with cloud backups, now that management of and access to customer data needs to be swifter and more straightforward, is that you can reach it from anywhere in the world with an internet connection. And if you encrypt your cloud backups, the security of that connection is far less of an issue, as the data is useless to anyone but you. In fact, you really should consider encryption as part of your data retention policy. It’s a quick and simple way to boost security of sensitive data, and forms a key part of a robust data retention policy

Talk to BackupVault about simple and cost-effective ways to bring your data retention policy up to best-practice standards, and ensure you avoid any headaches with data management.