Despite the arrival of 2020 and a supposed ‘oven-ready’ Brexit deal, there is still some uncertainty as to whether we will see a ‘No Deal’ Brexit and what this means for personal data flow between Europe and Britain.
As GDPR doesn’t tell you precisely what you need to do for data retention, you will need to:
Firstly, you need to prove that the data that you store is for legitimate purposes and the law will take precedence.
There will be circumstances where you’re collecting and using data that isn’t covered under the Financial Conduct Authority - FCA - or Prudential Regulation Authority - PRA. Such as personal data used for marketing purposes.
Generally, you can only use and store data for as long as it is required and if you have permission to use it.
HMRC state that you should keep employee information for three years from the end of the tax year they relate to.
For your customer’s financial records, the FCA handbook states different retention requirements depending on the type of data that you keep - see SYSC Sch 1 Record keeping requirements - these can be anywhere between three to ten years.
The general rule of thumb is to prove that you can legally store and process the data. Identify the type of data you process and hold, along with the purpose of keeping it.
Firstly, make sure your live systems process and store only the data that is a business requirement. And you are permitted to process and store it by the data subject - the individual.
Perform backups regularly and understand what is being backed up and how long those backups are kept. We recommend that you segregate backups depending on the type of data being backed up, or from which system that the data originates. This gives you the control to apply retention policies depending on the type of data being backed up.
A sliding window can then be applied that erases backups based on how old the data is. Such as automatically deleting backup data over five years old for financial data, and three years or more for employee data. The data can then be dealt with as data falls outside of this retention window.
Backup and archive systems should be designed to comply with the data subject’s right to erasure. In practice achieving this is very difficult in backup systems that haven’t been designed to rifle through systems looking for individual records. Therefore, a more pragmatic approach is needed.
ICO and FCA worked together to make sure that GDPR and the FCA Handbook complimented each other. The FCA says that their requirements apply to GDPR. Under the right to be forgotten principle, GDPR states that personal data can be kept with legal obligations:
For compliance with a legal obligation which requires processing of personal data by Union or Member State law to which the controller is subject. Which means GDPR gives way to laws you need to abide by in your country. Therefore, in the UK, the FCA’s - and Prudential Regulation Authority’s - rules would need to be complied with.
And don’t forget HMRC rules for employee data. These state that employers can only keep the following data about their employees without their permission:
For full information, take a look at the HMRC website.
Privacy is changing and laws are strengthening to put the control of individual’s data back in their hands.GDPR has outlined these rights and the right to be forgotten is one of those principles that is very difficult to achieve practically.
There will never be a perfect solution that fits all organisations, but adhering to the GDPR’s principles can be accomplished by being practical and pragmatic.
If your organisation is required to meet regulations such as GDPR and standards such as PCI-DSS and ISO27001, we can keep you compliant.
2020 has seen a sharp increase in cyber security attacks increasing by 33% between January and March.Read Article >