xData retention
Retention policy
You should set out your information retention periods and how you will erase or dispose of personal data, whether held electronically or in paper form.
For many firms, this issue will be challenging and our advice is to create a plan in relation to retention and work towards compliance based on a risk-based analysis of the personal data you hold. Focus on the riskiest areas of data processing, ie any files holding health or criminal offence data. Then ensure that you monitor compliance with this plan and record this in your record of processing.
Retention periods
The GDPR states that personal data should be kept for no longer than necessary for the purpose for which it was processed. Data subjects must now be provided with information about the retention period for personal data at the point that data is collected, through the fair processing information that you provide them with.
As part of your record of processing, you will require to identify what personal data you hold, the purpose for which it is held and the relevant retention period for that personal data.
Law Society of Scotland guidance
The Law Society will be updating its guidance on the ownership and destruction of files in response to the introduction of the GDPR.
It is important to note that this will only deal with client files and will provide guidance on different types of client files. The onus is on each organisation to decide how long to keep personal data under the GDPR, although the retention period should be guided by legal requirements and professional guidelines. The Information Commissioner’s Office states that if an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.
There will be several examples within the sector where the guidance is that papers should be kept indefinitely because it is very difficult to predict when they may still be required for the purpose of providing legal advice. This should be reviewed on a systematic basis.
Consideration will also have to be given to how long human resources records are retained in relation to staff.
Case study
Our high street firm already has a system in place for how long files are retained. It is using the record of processing to review the retention times for each type of case and other types of data. As our high street firm deals with family law, some of these files contain more sensitive information and these have been prioritised.
Our firm is recording the retention times in the record of processing.
GDPR guide for law firms
Data protection regulations from the perspective of a legal practice
- Ten steps
- Law firms as data controllers
- Create a record of data processing
- Marketing
- Client confidentiality, legal privilege and limited exemptions
- Sharing data with third parties
- Data retention
- Data protection officers
- AML and data protection
- Security
- Reporting personal data breaches
- Requests for copies of personal data
- Appendix 1 - Consent
- xCreate a record of data processing
- Appendix 2 - Example of a data protection policy
- Example of Privacy Notice
- xClient confidentiality, legal privilege and limited exemptions
- xData retention
- xSharing data with third parties
- xData protection officers
- xSecurity
- xReporting personal data breaches
- xRequests for client personal data
- Appendix 1 - Consent
- Appendix 2 - Example of a data protection policy