The GDPR will undoubtedly involve a shake-up of the way businesses approach and, crucially, evidence their data protection compliance, not least in terms of how they retain personal data. We consider the implications of GDPR on data retention below.

Building on current practice

Notwithstanding the plethora of guidance and draft legislation we have seen over many months, it is important that organisations processing personal data bear in mind that the fundamental principles underpinning data protection as set out in the Data Protection Act 1998 (DPA) are in essence repeated in the principles which underpin the GDPR.

The fifth data protection principle - data retention

The DPA's fifth data protection principle provides that personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose(s). It is therefore incumbent on any data controller and/or processor (including employers) under the existing legislation to be aware of what data it is processing, for what purpose and for how long the organisation reasonably needs to hold that data.

The GDPR places a higher evidential burden on data controllers and processors to demonstrate that they have actively engaged with the topic of data retention as well, of course, as increasing the fines to which organisations are exposed for non-compliance. For those employers who have lost sight of the data they hold and why they retain it, it is important that they carry out a data audit and engage with the topic of retention ahead of 25 May.

Retention periods

There are no hard and fast rules on how long personal data should be retained and so what is appropriate will vary depending on the type of data processed and an employer's own working practices.

Looking, for example, at a CV provided by a job candidate. It is likely to be reasonable in the majority of cases for an organisation to rely on performance of a legal obligation/defence of legal claims as a lawful basis for holding that CV for a period of six months following the particular recruitment campaign in which the job candidate took part, as it will form part of the evidence should a legal challenge be brought (taking into account the ACAS early conciliation period and the time limit for issuing of claims in the employment tribunal). However, if, for example, the candidate in question was applying for a graduate role and the organisation operated an annual graduate recruitment cycle, there could be a reasonable case for keeping key information from the CV, such as a summary of skills and contact details, for up to a year.

For employees departing the business, there will be details such as their emergency contact and bank account details which should be deleted immediately in most circumstances, as the employer will no longer require that data once the employee leaves and the final salary payment has been made to them. Employers may consider it appropriate to retain other employment data for up to six years to wait out the statutory limitation period for breach of contract claims in England and Wales (for employers in Scotland this would be five years). Thereafter, there is likely to be certain minimum data which an organisation should retain simply for the purpose of being able to provide employment references.

There cannot be a one size fits all rule for retention periods, so each organisation will need to consider and identify every type of personal data it retains as well as evidence its own thought process when setting retention periods for that type of data.

Documenting data retention

As well as updating contracts of employment and data protection policies, employers will need to ensure that they put appropriate privacy notices in place for employees (both current and former), job candidates and the wider workforce, such as volunteers, agency workers and consultants, to include setting out the personal data which the organisation collects, the lawful basis for processing and for how long the relevant category of data is retained. Where an employer is seeking to rely on its legitimate interests to retain data, it will be necessary for an employer to go through an additional assessment exercise in order to balance those interests against the data subject's privacy rights.

It may be appropriate, depending on the size of the organisation and complexity of data retention, for the organisation to consider a separate data retention policy, though this is by no means essential if retention can be adequately covered in privacy notices. Any retention policy should identify each type of personal data collected, where it is retained, and the period for which it will be retained.