We’ve been working with financial and insurance companies getting them in-line with the GDPR and the most common questions asked are around data retention and the right to be forgotten.
The GDPR does not tell you exactly what you need to do for data retention. You will need to make judgment calls on how long you should hold the data for. You need to get into the position where you could prove to the regulator (the ICO in the case of the UK) that you have the grounds to hold and/or process the data.
Are the ICO and FCA at odds?
The ICO and the FCA have been working together to make sure that the GDPR and the FCA Handbook work together. The FCA say that their requirements apply to the GDPR. Under the “Right to be Forgotten” principle, the GDPR states that personal data can be kept with legal obligations:
“for compliance with a legal obligation which requires processing of personal data by Union or Member State law to which the controller is subject”
This means that the GDPR gives way to the laws you would need to abide by in your country. Therefore, in the UK, the FCA’s (and PRA’s) rules would need to be complied with, and not forgetting HMRC for employee data.
How long is reasonable to keep data?
HMRC state that you should keep employees’ information for 3 years from the end of the tax year they relate to.
For your customer’s financial records, the FCA handbook states different retention requirements depending on the type of data that you keep (see SYSC Sch 1 Record keeping requirements), and this could be anywhere between 3 to 10 years.
The general rule of thumb that should be used is to prove that you can legally store and process the data. This problem is slightly clearer with the FCA’s handbook, but you would need to investigate the type of data you process and hold, and the purpose for keeping it.
How do I know what can and can’t be stored?
As mentioned above, you need to prove that the data that you store is for legitimate purposes and the law will take precedence. But there will be circumstances where you’re collecting and using data that isn’t covered under the FCA or PRA, such as personal data used for marketing purposes. Generally you can only use and store the data for as long as it is required and if you have the permission to use it.
How should backups and archives be treated?
Firstly, you should make sure that your “live” systems process and store only the data that is a business requirement and you are given the permission to process and store it by the data subject (the individual).
You should be performing backups regularly and you’ll need to understand what is being backed up and how long those backups are retained for. We would recommend that you segregate the backups depending on the type of data being backed up, or the system that the data originates from. This gives you the control to apply retention policies depending on the type of data being backed up. A “sliding window” can then be applied that erases backups based on how old the data is, such as automatically deleting backup data over 5 years old for financial data, and over 3 years old for employee data. The data can then be dealt with as data falls outside of this retention window.
Backup and archive systems should be designed to comply with the data subject’s right to erasure. In practice achieving this is very difficult in backup systems that haven’t been designed to rifle through systems looking for individual records. Therefore, a more pragmatic approach would need to be created. This is where creating procedures is important and mentioned below.
Practical steps that you can take
- Understand where and what the data you store/process is
- Create a data retention policy that clearly states how long each type of data can be held for
- Create procedures for backing up the data; ideally segregating the backups and implement automatic erasure procedures that can delete data after a specified time period resulting in complying with your data retention policy
- Ensure that all backups are secured (encrypted and access is granted to specific staff)
- If individual records cannot be accessed for deletion, ensure that archiving is used where access is very limited.
Privacy is changing and laws are strengthening to put the control of individual’s data back in their hands. The GDPR has outlined these rights and the right to be forgotten is one of those principles that is very difficult to achieve practically. There will never be a perfect solution that fits all organisations but adhering to the GDPR’s principles can be accomplished by being practical and pragmatic.
If your organisation is required to meet regulations such as GDPR and standards such as PCI-DSS and ISO27001, we can keep you compliant. Find out how here.