Documents, data and the GDPR

GDPR is the current “hot topic”, as the November 2017 Journal clearly evidenced. Firms are having to take a fresh look at what data they store and how it is managed and monitored. Firms of all sizes will have to get to grips with a more onerous data protection regime. One aspect of this that we, at Lockton, have received a number of queries on, is the impact of GDPR on document retention policies.

1. Have a data retention and destruction policy

Many firms will already have a document retention policy, but the chances are that, if it has not been updated for some time, it may not be quite as broad as it needs to be. The Law Society of Scotland has for some years provided guidance on the ownership and destruction of files. The data protection regime now goes somewhat further, and firms should be considering a policy that addresses data storage/retention in the round, including:

• physical files
• electronic documents
• emails
• client data held on CRM systems
• staff data held 
• data stored on portable devices, and
• office equipment including telephone call recordings and data stored on copiers and printers (you should be aware that most printers and copiers will store a considerable volume of data unless wiped before selling or otherwise replacing).

2. Address your hard copy document risks

Paper is not necessarily either more or less secure than electronic data, but it must not be forgotten when you consider implementing changes in readiness for GDPR. Your paper-based data are also subject to many of the new regulations. These data also have their own particular risk issues.

Unauthorised copying of hard copy documents

These days, with the advent of quality cameras in smartphones, and email-enabled scanners, taking a sneaky copy of a document is a far less risky form of information theft.

Taking documents out of the office

There is no doubt that, for many of us, reading a hard copy document while travelling remains easier and more reliable than trying to access documents online. While portable devices, if properly set up, are encrypted and can be remotely wiped, the same cannot be said for paper files left on a train.

Loss of documents

Documents still get lost between the office and archives, and, in case of fire and flood, can be destroyed entirely.

3. Review your document retention rules

There are no hard and fast rules for client document retention, and GDPR does not alter the current framework in that regard. However, the preparation for GDPR does provide a good opportunity to review your current arrangements. Where many firms could benefit is from a re-evaluation of their procedures for identifying and managing documents/data that should now be destroyed or deleted.

Article 5 of GDPR provides:

“Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 

“Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with article 89(1) and subject to the implementation of appropriate safeguards.”

This needs to be balanced against your need to retain information for long enough to provide material for an adequate defence in the event of a claim. The prescriptive period in Scotland for a professional indemnity claim is five years from the date that the claimant became aware (or could reasonably have become aware) of sustaining a loss (David T Morrison & Co Ltd v ICL Plastics [2014] UKSC 48). This of course does not mean a blanket destruction date of five years from closing a file. Claims typically emerge much more quickly when emanating from litigation matters.

The Law Society of Scotland’s guidance on retention of documents (see summary opposite) – which we understand is likely to be updated in the course of 2018 – still provides a useful rule of thumb, although firms should consider their own circumstances when determining timescales for destruction. While the GDPR does forefront the rights of data subjects, as long as you can properly explain why you process the data and have set a fair retention period, the firm’s legitimate interests should be respected – assuming you have implemented sufficient measures to protect the data. 

Whatever your policy determines, you should ensure that your letter of engagement explains clearly:

• who “owns” the client file, and what that means;
• how long you will retain the file, how it will be stored, and what will happen to the file after that time;
• any costs which relating to storage, retrieval and copies of (parts of) the file.

4. How to convert policy into practice?

Having a meaningful policy on data retention and destruction is one thing. Ensuring that it is implemented in practice is quite another.

Employing someone to go through file records and notifying fee earners when a data retention period has expired is costly, time-consuming and also does not guarantee that the information is acted on by a busy fee earner. An alternative approach, that electronic documents are automatically permanently deleted after the retention period has expired, is also problematic.

Complying with data destruction policies where hard copy documentation is concerned is more difficult again – thus the incentive for many firms to move to online storage.