Retention policy
You should set out your information retention periods and how you will erase or dispose of personal data, whether held electronically or in paper form.
For many firms, this issue will be challenging and our advice is to create a plan in relation to retention and work towards compliance based on a risk-based analysis of the personal data you hold. Focus on the riskiest areas of data processing, ie any files holding health or criminal offence data. Then ensure that you monitor compliance with this plan and record this in your record of processing.
Retention periods
The GDPR states that personal data should be kept for no longer than necessary for the purpose for which it was processed. Data subjects must now be provided with information about the retention period for personal data at the point that data is collected, through the fair processing information that you provide them with.
As part of your record of processing, you will require to identify what personal data you hold, the purpose for which it is held and the relevant retention period for that personal data.
Law Society of Scotland guidance
The Law Society will be updating its guidance on the ownership and destruction of files in response to the introduction of the GDPR.
It is important to note that this will only deal with client files and will provide guidance on different types of client files. The onus is on each organisation to decide how long to keep personal data under the GDPR, although the retention period should be guided by legal requirements and professional guidelines. The Information Commissioner’s Office states that if an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.
There will be several examples within the sector where the guidance is that papers should be kept indefinitely because it is very difficult to predict when they may still be required for the purpose of providing legal advice. This should be reviewed on a systematic basis.
Consideration will also have to be given to how long human resources records are retained in relation to staff.
Our firm is recording the retention times in the record of processing.
GDPR guide for law firms
Our guide looks at the regulation and the Data Protection Act from the perspective of a legal practice.
- Law firms as data controllers
- Create a record of data processing
- Client confidentiality, legal privilege and limited exemptions
- Data retention
- Sharing data with third parties
- Data protection officers
- Security
- Reporting personal data breaches
- Requests for client personal data
- Appendix 1 - Consent
- Appendix 2 - Example of a data protection policy
- Appendix 3 - Background to the GDPR changes
