Maximum number of cars added to compare list.

What's your postcode?

We need your postcode in order to provide accurate search results.

Enquire

Enter your first name
Enter your last name
Enter your phone number

Got a part exchange?

Tell us your reg plate and receive a part exchange valuation on your car?

What's this?

Compare cars side by side to save time clicking backwards and forwards between them.

ARE YOU READY FOR THE GENERAL DATA PROTECTION REGULATION PART 7Back

Data Retention

The GDPR has effectively rewritten the Data Protection Directive, the mainstay of current data protection regime. From May 2018, the GDPR will have a significant effect on your responsibilities when storing data and the uses you can put data to. All businesses are affected, particularly where they use customer details for marketing purposes or exchange them with other businesses in any way. Failure to get this right can result in fines, or worse.In this the seventh of our series covering this significant change to the law, we look in more detail at the requirement for reasonableness when storing and retaining data.

Data Retention and Storage

There have always been controls over data retention and storage. Under the Data Protection Act 1998 (DPA) businesses were required to retain data only for no longer than necessary for the purpose for which it was obtained and then to destroy it securely.

To comply, businesses were required to review the length of time data was kept considering the purposes for which it was held, and compare it to the information given at the time of collection. In practice few, if any, considered this and many businesses decisions whether to retain data depended on the practical requirements of storing documents and data.

Data Retention Policy under the GDPR

Under the GDPR the position regarding data retention and disposal remains broadly the same. Article 5 (1) (e) states that data should be

“kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;…”

What does this mean in practice?

The position will remain broadly the same after 25 May 2018. Any data retention policies that were suitable for the DPA will likely remain suitable for the GDPR. However, it would be prudent to review your business’s position with regards data retention to ensure that the period for which it is retained is necessary and can be reasonably justified if required.

It will be reasonable to keep FCA regulated data for at least the retention periods required by the FCA. It will be reasonable to retain employee pay records for at least the period required by the HMRC for tax purposes. It will be reasonable to keep any documents related to a contract for at least six years from the date of the contract (and potentially the end of any finance period).

To Do

Going forward you should consider what types of data your business collects and the reason for its collection. You will then be able to set a Data Retention Policy that suits your business. Below is a non-exhaustive list of the types of scenarios where personal data will be captured.

Type of Data Retention Period Justification
Application forms and notes of interviews
Personnel files
Pay Records
Medical records
Customers details provided for a quotation
Customers details provided for a service or sale
Customers details provided for marketing purposes
CCTV
Accident/Injury Report

Conclusion

Data retention in itself has never been a priority for ICO enforcement, and this is likely to continue under the GDPR. However, retaining too much data for too long does increase the risks of a data breach. That said, businesses will require data for a number of reasons, not least defending themselves in legal disputes such PPI claims or contract disputes. A good Data Retention Policy will not only help reduce the risks of a breach, but also ensure that a business has sufficient information to defend itself and comply with its legal obligations.

The above is a very broad overview of one aspect of the GDPR. The legislation and guidance is still developing in the weeks and months in the run up to their implementation. This advice is general in nature and we will endeavor to keep you informed through regular articles and case studies.

Remember, as an RMI member you have access to the RMI legal advice line, as well as a number of industry experts for your assistance. Should you require further information in respect of the article above, contact the legal advice line at any stage for advice and assistance as appropriate.

Motor Industry Legal Services

Motor Industry Legal Services (MILS Solicitors) provides fully comprehensive legal advice and representation to UK motor retailers for one annual fee. It is the only law firm in the UK which specialises in motor law and motor trade law. MILS currently advises over 1,000 individual businesses within the sector as well as the Retail Motor Industry Federation (RMI) and its members.

 

Posted by Sue Robinson on 02/02/2018