Search
Contact Us
NewsletterThis comprehensive guides take you through the key steps and considerations when approaching data retention. Whether you’re starting out or reviewing your retention policy and schedules, we hope this guide will support your work.
The guide, first published in June 2020 was developed and written by data protection specialists from a broad range of organisations and sectors. A huge thank you to all those who made it possible.
Creating and maintaining Records of Processing Activities, is a core data protection obligation for many businesses, but it’s clear it’s an area many struggle with.
Our Privacy Pulse Report 2022 revealed this to be the top challenge facing DPOs and privacy teams.
It’s an area which was raised in the UK Government’s consultation on UK data law reform. Proposals included introducing a more flexible and proportionate approach to record keeping.
Currently, the level of detailed required under UK GDPR makes records time consuming to create. Maintaining these records over time as your business processing evolves requires resources and ongoing engagement from across the organisation.
However, even if the data reform proposals go through, it’s clear businesses won’t be able to rip up and disregard recording keeping activities.
Maintaining a central record of what personal data you hold, what it’s used for, where it’s stored, how its protected and who it’s shared with is a sensible and valuable asset for any organisation.
6 reasons why your RoPA should be a valuable asset
1. Risk awareness
Identifying and recording your business activities means you can fully understand the breadth and sensitivity of your data processing. This can help you to clearly identify where data protection risks lie, so you can establish priorities and fully get to grips with mitigating these risks.
2. Lawful processing
Confirming and recording which lawful bases you’re relying on for each processing task means you check you’re meeting the relevant conditions for this basis. Be it consent, contract, legitimate interests and so forth.
3. Personal data breaches
Your RoPA should be the ‘go to’ place if you suffer a breach. It can help you to identify what personal data may have been exposed and how sensitive that data is, who might be affected, which processors might be involved and so on. Helping you to make a rapid risk assessment (within 72 hours) and helping you make good decisions to mitigate risks from the breach.
4. Individual privacy rights
If you receive a Data Subject Access Request, your records can help to locate and access the specific data required to fulfil the request. If you receive an erasure request, you can quickly check your lawful basis for processing and see if the right applies.
5. Transparency
With good records in place, you can be confident you’ve identified all the types of activities which need to be covered in your privacy notice.
6. Suppliers (processors)
Logging all your processors can support you in keeping on top of supplier management including due diligence, contractual requirements and international data transfers.
While many may not find documentation and record keeping much fun. Try and sell the benefits, get key stakeholders on board and bake it in to your routine business activities.
Most people don’t find documentation and record keeping a great deal of fun. But nevertheless maintaining effective records of your data processing (often known as ‘Records of Processing Activities’ or RoPA) is an important obligation under data protection law.
These records helps us to keep track of what personal data is held within the organisation and what it’s used for.
The record keeping requirements under GDPR apply to both controllers and processors. These requirements include keeping records covering:
Even smaller organisations with less than 250 employees still have certain record keeping responsibilities, which should not be overlooked. But they may benefit from a limited exemption. Smaller organisations only need to document their processing which is:
The specific requirements for record keeping are detailed and it’s an area many businesses have found challenging, especially keeping records up to date.
Creating your records of processing and keeping them updated is important. If records are allowed to become outdated you can quickly lose track of the breadth and depth of your processing. Resulting in to uncertainty when you most need it.
After all, if you don’t know about certain processing or hold any record of it, how can you possibly help the business to protect that data?
For example, your RoPA should be the first place to look if you suffer a data breach, helping you to identify;
It can also be helpful to reference your RoPA when handling individual rights requests.
If requested you might need to make your records available to the ICO, so you’d want to be sure they are in good shape. Allowing them to get out of date makes the job of getting them back into order all the more difficult.
Firstly, it’s helpful to enlist the support of your Board, as you’ll need help from all business function heads and data ‘owners’ to tell you about their changes to processing and notify you of new data service providers . So you can to keep the RoPA refreshed over time.
Make sure you have a complete list of who is accountable for personal data processing within all your key business functions – the data owners. For example, Human Resources (employment & recruitment data), Sales & Marketing (customer / client data), Procurement (supplier data), Finance, and so on. Each accountable owner for these functions needs to understand their role in record keeping.
No DPO or data protection team can create and maintain the records their own – they need the support of others.
Check you’re capturing all the RoPA requirements. These are slightly different if you act as a controller or processor – or indeed both. If you need to check take look at the ICO’s guidance on documentation.
Building a healthy two-way dialogue with data owners (and other stakeholders) is essential, not only for record keeping but many other data protection tasks. They will be best placed to tell you what data they hold, what it’s used for and what measures they use to protect it.
There’s always some new system, processing activity or change of suppliers, isn’t there? You should aim to update your records whenever you identify new processing or changes to existing processing – including identifying when you need carry out a DPIA or LIA. Good stakeholder relations can really help with this.
I hope this short guide helps you to keep your own records up to scratch. I do find sharing the message about how helpful the RoPA can be if you suffer a data breach, or receive a data subject access request, can motivate others to support you with this important task. Good luck!
The concept is nothing new, but the term Privacy Management Programme (PMP) has been flung into the spotlight by the UK Government’s plans to reform data laws.
In a nutshell, the Government plans to revise the current accountability framework, replacing existing obligations (some of which are mandatory) with a requirement to implement a PMP.
It’s argued the current legislative framework ‘may be generating a significant and disproportionate administrative burden’ because it sets out detailed requirements organisations need to satisfy in order to demonstrate compliance.
The idea is a new ‘risked-based accountability framework’ will be introduced, requiring organisations to implement a PMP, but allow flexibility to internally tailor the programme to suit the organisation’s specific processing activities.
A PMP is a structured framework which supports organisations to meet their legal compliance obligations, the expectations of customers and clients, fulfil privacy rights, mitigate the risks of a data breach – and so forth.
Such a programme should recognise the value in taking an all-encompassing, holistic approach to data protection and privacy; embedding data protection principles and the concept of privacy by design and default.
There are a number of PMP approaches and frameworks in existence. The UK Government has not yet elaborated on what they would expect a PMP to look like.
This top-level summary is broadly based on the IAPP’s Privacy Programme Management approach.
Organisations should develop and implement a suitable framework of management practices which make sure data is used properly and in line with organisational aims, laws and best practice. This should include adopting a privacy by design and by default approach; ensuring appropriate measures are in place to prevent unnecessary risks.
Achieving clear oversight of the data held and processed, including any suppliers used to support business activities. Developing risk assessment tools which help to identify privacy risks and manage them effectively (e.g. Privacy Impact Assessments / Data Protection Impact Assessments).
Mapping and maintaining an inventory of where personal data is, its purpose, how it is used and who it’s shared with.
Developing and implementing clear policies and procedures to guide staff and give them clear instructions about how personal data should be collected, used, stored, shared, protected and so on.
Making sure adequate and appropriate training is conducted to give staff the knowledge and understanding they need to protect and handle data lawfully and in line with organisational expectations in their day-to-day roles. Making sure people are aware of how their organisation expects them to behave.
Putting in place appropriate procedures to effectively and efficiently fulfil individual privacy rights requests, such as the right of access, erasure or objection.
Crucial to any PMP is protecting personal information. Working in conjunction with information security, a data protection by design approach would be expected – a proactive rather than reactive approach.
Creating and developing data incident procedures and plans. Having appropriate methods to assess risk and potential impact, as well as understanding breach notification requirements.
Last, but by no means least no PMP would be complete without a methodology for tracking and benchmarking the programme’s performance.
To many who’ve endeavoured to comply with the GDPR, all of the above will sound very familiar.
So, the Government isn’t proposing we do away with all the hard work already done. It’s planning a relaxation to some of the mandatory requirements; giving organisations more flexibility and control over how they implement certain elements of their programme.
On the one hand, this could be seen as a welcome move away from a ‘one-size fits all’ approach under UK GDPR, giving organisations more flexibility around how implement their privacy programmes to achieve desired outcomes.
On the other hand, there are fears the removal of mandatory requirements will lead to a watering down of the fundamental principle of accountability (a principle significantly bolstered under GDPR).
Clearing out personal data your business no longer needs is a really simple concept, but in practice it can be rather tricky to achieve! It throws up key considerations such as whether to anonymise and how to make sure its deleted or securely destroyed.
Let’s take a look at this in more detail…
Businesses must only keep personal data as long as necessary and only for the purposes they have specified.
To manage this legal obligation successfully, you’ll need to start with an up-to-date data retention policy and schedule.
These should clearly identify which types of personal data your business processes, for what purposes, how long each should typically be kept and under what circumstances you might need to hold it for longer.
If your data retention policy or schedule is lacking, first focus on making sure they are brought up to scratch. If you’d like to find out more, please take a look at DPN’s Data Retention Guidance.
These are the 5 key steps when an agreed retention period (as shown on your retention schedule) is reached.
There are different approaches an organisation can take when the data retention period is reached, such as:
Deletion of records might seem the obvious choice, and it’s often the best one too.
But take care how you delete data. Sometimes deleting whole records can affect key processes on your systems such as reporting, algorithms and other programs.
Check with your IT colleagues first. In some situations, you may decide it’s better to anonymise the data.
Most organisations want to extract increasing information and value from their digital assets. In some situations, it can be helpful to remove any personal identifiers so you can keep the data that remains after the retention period has been reached. For example,
To be clear, anonymisation is the process of removing ALL information which could be used to identify a living person, so the data that remains can no longer be attributed back to any unique individuals.
Once these personal identifiers are deleted, data protection laws do not apply to the anonymised information that remains, so you may continue to hold it. But you have to make sure it is truly anonymised.
The ICO highlights you should be careful when attempting to anonymise information. For the information to be truly anonymised, you must not be able to re-identify individuals
If you could, at any point, use any reasonably available means to re-identify the individuals, the data will not have been effectively anonymised, but will have merely been pseudonymised. This means it should still be treated as personal data.
Whilst pseudonymising data does reduce the risks to data subjects, in the context of retention, it is not sufficient for personal data you longer need to keep.
So the conclusion is simple – make sure you remove ALL personal identifiers so the data is truly anonymised.
There are software methods of deleting data, which may involve removing whole records from a dataset or overwriting them. For example, using of zeros and ones to overwrite the personal identifiers in the data.
Once the personal identifiers are overwritten, that data will be rendered unrecoverable, and therefore it’s no longer classed as personal data.
This deletion process should include backup copies of data. Whilst personal data may be instantly deleted from live systems, personal data may still remain within the backup environment, until it is overwritten.
If the backup data cannot be immediately overwritten it must be put ‘beyond use’, i.e. you must make sure the data is not used for any other purpose and is simply held on your systems until it’s replaced, in line with an established schedule.
Examples of where data may be put ‘beyond use’ are:
The ICO (for example) will be satisfied that information is ‘beyond use’ if the data controller:
Destruction is the final action for about 95% of most organisations’ physical records. Physical destruction may include shredding, pulping or burning paper records.
Destruction is likely to be the best course of action for physical records when the organisation no longer needs to keep the data, and when it does not need to hold data in an anonymised format.
Controllers are accountable for the way personal data is processed and consequently, the disposal decision should be documented in a disposal schedule.
Many organisations use other organisations to manage their disposal or destruction of physical records. There are benefits of using third parties, such as reducing in-house storage costs.
Remember, third parties providing this kind of service will be regarded as a data processor, therefore you’ll need to make sure an appropriate contract is in place which includes the usual data protection clauses.
Destruction may be carried out remotely following an agreed process. For instance, a processor might provide regular notifications of batches due to be destroyed in line with documented retention periods.
Retention periods will also apply to unstructured data which contains personal identifiers. The most common being electronic communications records such emails, instant messages, call recordings and so on.
As you can imagine, unstructured data records present some real challenges. You’ll need to be able to review the records to find any personal data stored there, so it can be deleted in line with your retention schedules, or for an erasure request.
Depending on the size of your organisation, you may need to use specialist software tools to perform content analysis of unstructured data.
Whilst data retention as a concept appears straightforward, it does require some planning. There are situations where it might be best to keep certain data in an anonymised form, removing all personal identifiers, when it reaches its retention period.
And its important you don’t ignore unstructured data or physical data, as these may also contain personal data which needs action when its no longer necessary for you to keep it.
Need some help with data retention? Or any other data protection matter, Contact Us to discuss how DPN Associates could help you.
We’ve finally heard the UK Information Commissioner’s Office (ICO) has fined British Airways £20 million for failing to protect personal and credit card data in their 2018 data breach. A breach which affected more than 400,000 BA customers and staff.
A final decision on this has been expected for some time, we just didn’t know what the figure would be until now. The amount is a fraction of the £183 million initially announced in the ICO’s notice of intention to fine. After considering BA’s representations and factoring in the economic impacts of COVID-19 it has been significantly reduced. But it’s still an eye-watering sum, in fact, the largest fine issued by the ICO.
What are the key lessons other businesses can learn from BA’s painful experience?
Modern businesses rely on data more and more to provide quality services for customers and to create competitive advantage. However, the risks to personal data are numerous, varied and ever-changing. A data breach can massively harm a business’s reputation with its customers, staff and with the world at large.
It’s often said that with power comes responsibility, so businesses need to recognise their roles as guardian and protector of the personal data of their customers and employees. We have to deliver on the promises we make, for example, in our privacy notices. Any steps your business can take to properly protect personal data and demonstrate to staff and the public how seriously you take data protection will help protect them from harm and also may help you to stand out from competitors in these tough times.
Boards need to show leadership by insisting on a strong and vigilant information security regime. I guess that means they need to be prepared to fund it too! It also means asking tough questions about the levels of data protection in place across the organisation.
Rachel Aldighieri, MD of the Data & Marketing Association (DMA), believes this is a wake up call;
“Brexit and coronavirus have put businesses under immense financial strain. A fine of this magnitude will certainly get the attention of Board members of organisations across the UK. They will certainly not want to risk receiving similar disciplinary action from the ICO. This is the largest fine issued by the ICO to date under the new GDPR laws, highlighting the importance all businesses should place on the security of customers’ data and the need to build in safeguards to protect it.
“Data is a fundamental part of the digital economy, so maintaining its security must be a business imperative. Trust in how brands collect, store and use data is essential to the relationship between businesses and their customers. This message should resonate with businesses now more than ever.”
The ICO said there were numerous measures BA could have used to mitigate or prevent the risk of an attacker accessing their network.
Martin Turner, Managing Director at cybersecurity specialists Full Frame Technology, believes BA missed the basics:
“As with so many serious data breaches, this one was caused by a failure to adopt the most basic security measures, including limiting access to applications, rigorous cybersecurity testing, and protecting accounts with multi-factor authentication.
Login credentials for a domain administrator account were stored in plain text. Software code wasn’t reviewed effectively. These are issues that a cybersecurity audit should have revealed, and BA has yet to explain why this didn’t happen.”
Could this be a turning point? It’s been a long time coming and many expected it to happen much sooner. The ICO have finally issued a BIG fine more in keeping with the expectations most of us had when GDPR came into force.
Nevertheless, you might feel the ICO has shown a measure of pragmatism, reducing the fine down so much from the original £183m. But it’s not great timing for any business to suffer a body blow like this.
It will be interesting to see what figure the ICO finally decide to fine Marriott International for their Starwood data breach, which first came to our attention around the same time as BA. The ICO’s original ‘intention to fine’ for Marriott was £99 million.
You might be thinking afresh about breach insurance. We’d suggest you shop around and pay attention to the fine print, as data breach insurance policies can vary more than you might imagine.
Don’t just look at the price as no two policies are the same and there is little consistency in the way policies are worded. The levels of cover and features on offer can vary significantly. Keep an eye out for exclusions!
One key differentiator you may wish to delve into is the level of support your insurer will provide in the event of a breach or a cyber attack. Do they have a team of specialists in place who will advise and help you to triage a live situation? This is one area where you might get just what you pay for.
This fine was long anticipated and the pandemic has definitely played its part in reducing the final amount. The travel sector has been badly impacted by COVID and £20 million will hit BA hard. BA may decide to appeal against it. It goes to show how important it is to have robust data protection and security measures in place.
Deciding when to carry out a Data Protection Impact Assessment (DPIA), and understanding how to conduct one effectively, is a challenging area.
I’ve come across cases where DPIAs are not being conducted when necessary, or left incomplete. Less frequently, DPIAs are over-used, creating an unnecessary burden on key teams.
DPIAs sit at the heart of Data Protection by Design, and this is part 3 of our series, following on from:
Part 1: Data Protection by Design – The Basics
Part 2 – How to approach Data Protection by Design
Just to be clear – we may be hearing the term DPIA more frequently, but it’s not a new idea – what changed under GDPR is they were made mandatory in certain circumstances. And even if not mandatory they can be a very useful tool in your data protection toolbox.
So how do you make sure your DPIA process is on track? I’ve taken a look at the key stages you should have in place, and how to get people on-board and improve their understanding.
But first things first.
Just to recap, a DPIA is a management tool which helps you:
It’s a way for you to analyse your processing activities and consider any risks they might pose. It focuses on identifying any risks to people’s rights and freedoms, and considers the principles laid down in data protection law.
The key is to start the assessment process early so you can make sure any problems are found (and hopefully fixed) as soon as possible in any project – be this implementing a new system, designing a new app or creating new processes.
When considering new systems, technologies or processes a DPIA should be conducted if these might result in a high risk to the rights and freedoms of individuals. A DPIA may also be conducted retrospectively if you believe there are inherent risks.
It’s mandatory, under the GDPR to conduct a DPIA in all of the following scenarios:
Each EU regulatory authority has published their own list of other scenarios in which a DPIA would be mandatory. You can find the UK Innformation Commissioner’s Office’s in its DPIA Guidance. This includes;
The ICO says it’s “good practice to do a DPIA for any other major project which requires the processing of personal data.” Here are some examples of where it might be advisable to conduct a DPIA, if your processing;
The ICO DPIA guidance has a handy checklist of areas to focus on:
So how do you go about fulfilling the ICO’s expectations above? Here are some steps to take.
Growing awareness and buy-in from across the organisation is crucial. It can be helpful to highlight why DPIAs are a good thing, for example;
Training is also important, I’ll come on to this in a bit, but first you need to make sure your process is fit for purpose….
Create a quick set of questions for business owners or project leads to use, which help to identify if a DPIA is required or not.
These can ask about the type of personal data being used, whether it entails any special category data or children’s data, what the aim of the project is and so on.
The answers can be assessed to judge whether a more detailed assessment is really required or not. (It can also show where more training might be needed, if people struggle to answer the questions).
You need to develop a robust process for conducting a DPIA. The ICO has a template you can use, but it’s good idea to adapt this to suit your business. Make sure it’s easy to understand and not full of data protection jargon.
These are the core aspects it needs to cover:
Let’s look at these seven key stages in a little more depth…
These are some of the type of questions you’d want answers to (this is not an exhaustive list):
Consider the following questions (again, this is not an exhaustive list):
Identify any privacy issues with the project and associated risks. These may be risks to the individuals whose data is being processed, compliance or commercial risks.
Is there potential for harm, whether this be physical, material or non-material? A DPIA should ideally benchmark the level of risk using a risk matrix which considers both the likelihood and the severity of any impact on individuals.
You don’t have to eliminate all risks, but they should be documented, and any residual risks need to be understood and, if appropriate, accepted by the business.
If you identify a high risk that you cannot mitigate, you must consult the ICO before starting the processing.
Develop solutions which will eliminate or minimise privacy risks and then consider how these solutions impact on the project.
It can be helpful to use the established ‘four strategies for risk management’ (the 4Ts), i.e.
Someone must sign-off that the DPIA is complete and be accountable for any residual risks. It’s a good idea to log residual risks in your Risk Register.
There’s also lots of useful content on this in the ICO’s DPIA Guidance.
Once you have your questionnaire and DPIA process ready to go, it’s time to make sure people know about it! If people aren’t aware they’ll be busy doing fabulously innovative things, not considering the potential data protection issues and impact on people’s privacy.
Making sure your teams know what a DPIA is, in simple layman’s terms, is an important step – building an understanding about why it’s important and the benefits to the business as a whole.
Creating short, easy to understand, guidelines and raising awareness via other means helps reinforce the message that DPIAs are a good thing and people need to think data protection in their day to day work.
It’s also important to develop people’s skills. After all the DPO (or team/person responsible for data protection) can’t do this single-handed. You need key people to know;
Holding workshops with relevant staff to discuss how you conduct a DPIA, and / or perhaps run through an example, can help improve people’s skills. My key tip would be to try and not over-complicate things and to keep it straightforward.
In summary, whether you are required by law or not to complete a DPIA they are a useful way to make sure data protection is considered from the outset, with no nasty surprises just before your project launches!
“But it’s essential that we go live on Friday!” If I had a penny for every time I’ve heard this one. If only they’d known, or thought of, speaking to the people responsible for data protection.
Often a DPIA won’t required, but there’ll be times when it’s mandatory or just a very good idea.
Data Protection team over-stretched? We can review your existing DPIA process or help you to develop one. We can also do remote DPIA workshops for key members of your teams – Get in touch
Following my colleague Phil Donn’s popular article on Privacy By Design (Part 1), I’m delving into the detail of what to consider when you are developing new applications, products and service and the how to approach the assessment process.
As a reminder, Data Protection By Design requires organisations to embed data protection into the design of any new processing, such as an app, product or service, right from the start.
This implies the DPO or Privacy team need to work with any project team leading the development, from the outset. In practice, this means your teams need to highlight any plans at the earliest stages.
A crucial part of a data protection or privacy role is encouraging the wider business to approach you for your input into changes which have implications for privacy.
Building strong relationships with your Project and Development teams, as well as with your CISO or Information Security team, will really help you make a step change to embed data protection into the culture as well as the processes of the organisation.
Here are some useful pointers when assessing data protection for new apps, services and products.
If there’s likely to be high risk to individuals, you should carry out a Data Protection Impact Assessment. This should include an assessment covering the requirements above.
Many organisations use a set of screening questions to confirm if a DPIA is likely to be required and I would recommend this approach.
In most cases it will also be appropriate for the Project team to consult with their CISO or Information Security Team. It’s likely a Security Impact Assessment (SIA) will also need to be carried out.
In fact, adopting a joint set of screening questions which indicate if there’s a need for a security assessment and/or a DP assessment is even better!
The typical stages involved when developing a new app, product or service are:
Planning > Design > Development > Testing > Early life evaluation > Production
Sometimes these stages merge together, it’s not always clear where one ends and another starts, or they may run in parallel.
This can make the timing of a data protection assessment tricky, particularly if your business uses an Agile development methodology, where the application design, development and testing happen rapidly in bi-weekly ‘sprints’.
I find when Agile is used the answers to certain data protection questions are not necessarily available early on. Key decisions affecting the design may be deferred until later stages of the project. The final outcomes of the processing can be a moving feast.
I always take the data protection assessment process for new developments step by step. Engaging with the Project team as early as possible and starting with the privacy fundamentals.
For example, try to establish answers to the following questions:
An ongoing dialogue with the Project team is helpful. This can be scheduled in advance of key development sprints and any budget decisions which could affect development.
This way the more detailed data protection requirements can be assessed as the design evolves – enabling appropriate measures and controls to protect personal data to be agreed prior to development and before any investment decisions.
Let me give you an example…
I recently helped a to carry out a DPIA for a new application which aimed to improve efficiency by looking at operational workflow data, including certain data on employees who carried out specific tasks.
When we started the design was only partially known, it wasn’t yet agreed whether certain components were in or out of scope, let alone designed. Therefore data protection considerations such as the minimisation of data (to include only that necessary for the processing), appropriate access controls and specific retention periods had not and couldn’t be decided.
We worked through these items as the scope was agreed. I gave input as possible designs were considered, prior to development sprints. We gradually agreed and deployed appropriate measures and controls to protect the privacy of individuals.
Too often in my experience the privacy team is called in too late. This only leads to frustration if privacy issues are raised in the later stages of a project. It can cause costly delays, or the poor privacy team is pushed into making hasty decisions. All of which is unnecessary, if teams know to go to the privacy team from the outset.
It can take time and perseverance to get your colleagues on board. To help them to understand the benefits of thinking about data protection from the start and throughout the lifecycle of projects. But once you do, it makes your business operations run all the more smoothly.
Can we help? Our experienced team can support you with embedding Data Protection By Design into your organisation, or with specific assessments – contact us
Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.