To keep it or not to keep – that is the Question!
This blog post is the last in a series of posts on the lovely subject of GDPR. If you are a sole trader, like me, living in Ireland, you will be keen to find out how to become compliant before the deadline on 25th May 2018. I will be sharing the information I have gathered over the past few months in a series of posts. These views are my own. I won’t be using legal jargon or providing information that really only affects bigger companies, as they have their own HR and IT staff to handle their compliance. I hope you will find the posts helpful and feel free to add comments or tips below.
This post covers Retention, Withdrawing Consent and Deleting files.
How long should I keep personal data?
We already know that accounts information has to be kept for several years in case of Revenue audit checks, but what about other information?
There are no exact rules on this subject, however, under GDPR, you should be able to justify why you have kept personal data for a long time.
It is recommended that you have a retention system in place so that you regularly clear out or update your files. Imagine for example that you have personal details on an old survey or questionnaire relating to a workshop or event you held 3 years ago. Do you need to keep that data? If it is no longer relevant than you should delete it (see below). If you do need to keep records for business reasons than you must ensure that the data is kept securely, so password protected, encrypted, locked in a file. If you keep copies of files on an external hard drive, make sure it’s password protected.
Under GDPR a collection notice should indicate how long the data will be kept. For example, on a newsletter subscription, it could state “This data will be kept until you unsubscribe from this newsletter”. You are not indicating a date but you are indicating that an unsubscriber will be removed.
What do I need to know about Withdrawing Consent?
In blog post No 3 we looked at Consent and the importance of ensuring that any personal data that you use for marketing purposes has been freely given by the individual in question. It is equally important that we make it clear to the individual that they can withdraw their consent at any time. A simple way of doing this, is, of course, to have an unsubscribe option on any marketing pieces that you send to individuals both offline and online. There is nothing really new in that. However, under GDPR an individual not only has the right to withdraw consent but they also have the right to request that their personal data be deleted from your records (except where required legally). Obviously, the more sensitive the information the more important it is to ensure you have protected it, and know how to access it. An individual could also ask you for a copy of the information you are holding especially if it is a record of employment or medical care or therapy.
If we just look at the marketing side of things, imagine this scenario. Joe Bloggs signed up for your newsletter back in 2015 giving you his Name, Email and Phone number. Joe unsubscribes from your latest newsletter and requests that you delete any personal data that you are holding. As Joe is currently listed on your newsletter mailing list in MailChimp, you can easily delete that. Now think, are his details anywhere else? Is there a copy of his details on your laptop/computer, on an external hard drive, or on a paper file? How can you ensure that you know where those details are?
Have a guess? Yes, it’s back to the Data Audit discussed in blog post No 2, where you recorded the data you are holding and where it is stored.
Again it’s a good idea to check in with subscribers every two years to get their consent again and to delete any un-subscribers or undeliverable emails.
How can I safely delete data?
When it comes to paper files, using a shredder is a great solution. But if you don’t have a shredder than perhaps you can safely burn the paperwork. Throwing the paper into a Green Bin is not a good idea unless it’s shredded paper! Remember, you do have to keep financial account information for revenue.
Deleting data from computer hardware requires some attention. If you are familiar with computers and laptops you will know that when you delete files, they go to a Trash folder and when you empty the Trash folder the data is still recoverable even though you can’t see it. So you need to look at online shredding software. The same applies to emails.
You may consider having someone with an I.T. background to assist. Meanwhile here is an article I found on the subject of deleting files on your hardware on LifeWire.com and here is another article on shredding digital files
So that covers this last and final blog post. By now, you have probably received lots of email updates from your software suppliers and partners advising you about their new Data Privacy policies as the deadline draws closer. You still have 24 days to get your business in line with GDPR! Get going and Good luck!