Data Retention Policy
This document has been updated for compatibility with the UK GDPR and is ready for use from the start of 2021.
Under the UK GDPR, data controllers (i.e. businesses using personal data, in this case) should not retain personal data for any longer than necessary. Furthermore, the UK GDPR gives data subjects rights to require the erasure of their personal data (also known as “the right to be forgotten”).
Minimising data retention and having clear procedures in place to determine how and when to dispose of personal data is therefore key to complying with the UK GDPR. Not only that, but a well-managed data retention plan can help businesses to avoid the information overload and high storage costs resulting from the retention of unnecessary (and often redundant) data.
This Data Retention Policy is designed primarily to set out the limits that apply to the various types of personal data held by a business, to establish the criteria by which those limits are set, and to set out how personal data should be deleted or disposed of.
In addition, this policy template sets out where and how personal data is held, it provides a brief overview of data subjects’ key rights under the law, and a summarised overview of the various technical and organisational data protection measures that the business has in place (duplicated for the most part from our Data Protection Policy – designed to be used in conjunction with this document).
The policy can be applied company-wide, or multiple policies can be used for separate departments. Depending upon the amount of personal data used, it may be preferable (and more manageable) to work on a per-department basis.
Optional phrases / clauses are enclosed in square brackets. These should be read carefully and selected so as to be compatible with one another. Unused options should be removed from the document.
References to the various “Parts” of the Company’s Data Protection Policy refer to the corresponding sections of our Data Protection Policy template (and should therefore be amended if optional provisions are removed from that document).
This Data Retention Policy contains the following clauses:
1. Introduction
2. Aims and Objectives
3. Scope
4. Data Subject Rights and Data Integrity
5. Technical and Organisational Data Security Measures
6. Data Disposal
7. Data Retention
8. Roles and Responsibilities
9. Implementation of Policy
This Data Retention Policy is in open format. Either enter the requisite details in the highlighted fields or adjust the wording to suit your purposes.
Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.