Data Retention Policy – GDPR
Date of publication – 25th May 2018
Date of review – 11th April 2018
Responsibility – Sue Giles, Data Protection Officer
BSA Mouldings is hereinafter referred to as “the company”
The need to retain data varies widely with the type of data. Some data can be immediately deleted and some must be retained until reasonable potential for future need no longer exists. Since this can be somewhat subjective, a retention policy is important to ensure that the company’s guidelines on retention are consistently applied throughout the organisation.
The purpose of this policy is to specify the company’s guidelines for retaining different types of data.
The scope of this policy covers all company data stored on company-owned, company-leased, and otherwise company-provided systems and media, regardless of location.
Note that the need to retain certain information can be mandated by local, industry regulations and will comply with EU General Data Protection Regulation GDPR and the Data Protection Act 1988 and the Data
Protection (Amendment) Act 2003. Where this policy differs from applicable regulations, the policy specified in the regulations will apply.
4.1 Reasons for Data Retention
The company does not wish to simply adopt a “save everything” approach. That is not practical or cost effective and would place an excessive burden on company and IT Staff to manage the constantly-growing amount of data.
Some data, however, must be retained in order to protect the company’s interests, preserve evidence, and generally conform to good business practices. Some reasons for data retention include:
4.2 Data Duplication
As data storage increases in size and decreases in cost, companies often err on the side of storing data in several places on the network. A common example of this is where a single file may be stored on a local user’s machine, on a central file server, and again on a backup system. When identifying and classifying the company’s data, it is important to also understand where that data may be stored, particularly for duplicate copies, so that this policy may be applied to all duplicates of the information.
4.3 Data Retention Requirements
This section sets guidelines for retaining the different types of company data.
4.4 Retention of Encrypted data
BSA Mouldings does not currently retain any encrypted data
4.5 Data Destruction
Data destruction is a critical component of a data retention policy. Data destruction ensures that the company will use data efficiently thereby making data management and data retrieval more cost effective. Exactly how certain data should be destroyed is covered in the Data Classification Policy.
When the retention timeframe expires, the company must actively destroy the data covered by this policy. If a user feels that certain data should not be destroyed, he or she should identify the data to his or her supervisor so that an exception to the policy can be considered. Since this decision has long-term legal implications, exceptions will be a pp roved only by a member or members of the company’s management team.
The company specifically directs users not to destroy data in violation of this policy. Destroying data that a user may feel is harmful to himself or herself is particularly forbidden, or destroying data in an attempt to cover up a violation of law or company policy.
4.6 Applicability of Other Policies
This document is part of the company’s cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
This policy will be enforced by the Data Protection Officer and/or Executive Team. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.