How long a customer or members personal information is stored for is something that many organisations have never considered, but it is something they will have to address in order to comply with the General Data Protection Regulation (GDPR) when it becomes law in May 2018.
While many organisations routinely back up reams of data to store 'in case it is needed' or in case of a system outage, this is not permissible in law and under the GDPR could result in very significant fines and civil cases.
The GDPR states that data subjects should give expressed informed consent for their data to be stored, that they should be made aware of the purposes the organisation has for storing that information, and that the “data shall not be kept for longer than is necessary for that purpose or those purposes”.
In practical terms this means that data can only be stored for the length of time it is needed under the terms it is collected, and once that length of time has expired, the information must be destroyed safely and securely.
As the Office of the Data Protection Commissioner points out on their website, “if there is no good reason for retaining personal information, then that information should be routinely deleted. Information should never be kept "just in case" a use can be found for it in the future”.
If you believe that there is a good reason for you to retain a customers personal information past the point of your current transaction with them, then you need to specifically request to retain their information for longer.
In order to stay compliant with the data retention and storage guidelines in the GDPR, you need to take the following steps as a bare minimum:
1. Appoint someone with specific responsibility for making sure that files are regularly reviewed and that personal information is not kept any longer than necessary
2. Have a defined policy on retention periods for all items of personal data your organisation collects
3. Securely destroy information on old customers or members on a regular basis
It is important to have policies on data retention and separate guidelines for different types of information – if you can't give a rational explanation for why you are storing data, and prove that you have sufficient permissions for doing so, then you cannot be considered to be compliant with the GDPR.