Our GDPR updates continue this month with the addition of an all-new Data
Retention Policy template and updates to our GDPR-compatible Data
Protection Policy templates. These documents and more can be found in our all-new GDPR & Data Protection Group.
New Data Retention Policy
The GDPR places important controls on the retention of personal data. Once
you have cleared the many hurdles to collecting and processing it in the
first place, further rules govern how long you can keep it.
Personal data must not be retained for any longer than is necessary in
light of the purpose or purposes for which it was originally obtained. Not
only that, but individuals have various grounds on which they can require
you to delete or otherwise dispose of any personal data you hold about them
(often referred to as “the right to be forgotten”).
Not only does minimising data retention help to bolster your GDPR
compliance, but it can also pay dividends when it comes to business
efficiency. The less data you hold on to, the easier it is to find that
which you still need, and the cheaper it will be to store everything.
Our new Data Retention Policy provides an overview of key legal principles
set down by the GDPR, and – most importantly – sets out the limits that
apply to your business’s retention of personal data, the criteria by which
those limits are set, and the methods to be used when disposing of the
Updated Data Protection Policies
As a document subject to on-going review, our GDPR Data Protection Policy
has received several updates including clearer provisions on technical data
protection measures, new detail governing “special category” personal data
(formerly known as “sensitive personal data” under the Data Protection
Act), and adjustments and cross references to our new Data Retention
The “Employee version” of our Data Protection Policy has now also received
the GDPR treatment and, in addition to being available in the Employment
document folder, is also available in the new Business GDPR & Data
More to Come!
The GDPR edges ever closer and we still have more in store. Next month will
see the publication of our Data Protection Impact Assessment – an essential
ingredient in the “Privacy by Design” approach championed by the GDPR. Also
look out for our new Subject Access Request toolkit to assist both data
subjects and businesses in making and handling data subject access
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific