GDPR Compliance Journey - 09 Retention

Gydeline
23 Apr 201803:09

Summary

TLDRThis video script from the GDP compliance series discusses the importance of data retention policies under GDPR. It clarifies that GDPR does not specify data retention periods but requires organizations to inform individuals about their data retention duration and methods. The script outlines a two-step approach: setting a retention policy and implementing it through regular data cleansing exercises. It provides examples of retention periods for different types of information, emphasizing the need for clarity and compliance in data management.

Takeaways

  • 📜 The GDPR does not specify a data retention period but requires organizations to inform individuals about how long their data will be retained.
  • 📝 There are two main steps for data retention: setting the retention time and having a policy, and implementing that policy effectively.
  • 🔍 Organizations must have a clear retention policy that details how long different types of information will be kept.
  • 🗓️ The retention policy includes specific time frames for various categories of information, such as financial, insurance, tax, and personal data.
  • 💼 For example, information gathered on a website for service promotion is retained for 12 months from the date of consent, while job application data for unsuccessful candidates is kept for six months after notification.
  • 👩‍💼 Employee personal information and employment records are retained for five years after employment ends.
  • 🧹 Implementing the retention policy involves regular data cleansing exercises, scheduled every six months, to ensure compliance with the policy.
  • 🛠️ Data cleansing processes include specific actions within the organization's CRM system to clean up data according to the retention policy.
  • 🔒 The importance of having a retention policy is emphasized for transparency and compliance with data protection regulations.
  • 🔄 The video script suggests a structured approach to data retention, highlighting the need for both policy creation and implementation.
  • 📚 The next topic to be discussed in the series is data portability, indicating a continued focus on compliance and data management.

Q & A

  • What is the main topic discussed in the video script?

    -The main topic discussed in the video script is data retention policies and practices in compliance with the General Data Protection Regulation (GDPR).

  • Does the GDPR specify how long data should be retained?

    -No, the GDPR does not specify the exact duration for data retention, but it requires organizations to inform individuals about how long their data will be kept and how the retention period is determined.

  • What are the two steps an organization should take regarding data retention according to the script?

    -The two steps are: 1) Setting the retention time and having a policy in place, and 2) Implementing that policy through regular data cleansing exercises.

  • What is the duration for retaining information gathered on the website for promotional purposes as per the script?

    -According to the script, information gathered on the website for promotional purposes is retained for 12 months from the date of consent being provided.

  • How long are the documents related to unsuccessful job applicants retained as per the policy mentioned in the script?

    -The documents related to unsuccessful job applicants are retained for six months from the date of notification to the candidate.

  • What is the retention period for the personal information of employees as stated in the script?

    -The personal information of employees, including employment records, is retained for five years after the employment ceases.

  • What is the frequency of the data cleanse exercise mentioned in the script?

    -The data cleanse exercise is scheduled to take place every six months.

  • What is the purpose of the data cleanse exercise as described in the script?

    -The purpose of the data cleanse exercise is to go through the entire retention policy and clean up any data according to the set guidelines, ensuring compliance with the data retention policy.

  • What is the importance of having a clear data retention policy as per the script?

    -Having a clear data retention policy is important for transparency and compliance with GDPR, as it informs individuals about how long their data will be kept and how the retention period is determined.

  • What is the next topic that will be discussed in the series according to the script?

    -The next topic to be discussed in the series is data portability.

  • What is the overall goal of the video script in terms of compliance?

    -The overall goal of the video script is to help viewers understand and implement data retention policies in a way that simplifies compliance with GDPR.

Outlines

00:00

📝 GDPR Data Retention Policy Overview

This paragraph introduces the topic of data retention in the context of the General Data Protection Regulation (GDPR). It clarifies that GDPR does not specify exact durations for data retention but requires organizations to communicate their data retention periods to individuals. The speaker outlines the two-step process for compliance: setting a retention time and policy, and implementing that policy effectively. The video script also mentions a policy document that details the organization's approach to data retention, including specific durations for different types of information such as financial, insurance, tax, website user data, job applicant data, and employee records.

Mindmap

Keywords

💡Data Retention

Data retention refers to the policy or schedule that determines how long an organization retains personal data. In the video, it is the central theme as it discusses the General Data Protection Regulation (GDPR) requirements for data retention periods and the importance of informing individuals about these periods. The script mentions that while GDPR does not specify exact durations, it mandates that organizations must communicate their data retention policies to the data subjects.

💡GDPR

The General Data Protection Regulation (GDPR) is a regulation in EU law that focuses on data protection and privacy for individuals within the European Union. The video script uses GDPR as a framework to discuss data retention policies, emphasizing the necessity for organizations to establish and communicate their data retention practices in compliance with this regulation.

💡Policy

In the context of the video, a policy refers to the set of rules or principles laid down by an organization to guide its actions. The script outlines the importance of having a data retention policy, which includes specifying the duration for which different types of data will be kept, and how the organization will determine these durations.

💡Retention Time

Retention time is the specific duration for which data is kept before it is destroyed or anonymized. The video script discusses the need to set a retention time as part of the data retention policy, providing examples such as retaining website information for 12 months and job applicant information for six months.

💡Information Retention Policy

An information retention policy is a formal document that outlines how long an organization retains different types of information. The script provides an example of such a policy, detailing specific retention periods for financial, insurance, tax information, as well as personal data related to individuals and employees.

💡Data Cleansing

Data cleansing, as mentioned in the script, is the process of reviewing and removing outdated or unnecessary data from a database according to a set retention policy. The video describes a regular data cleanse exercise that takes place every six months to ensure compliance with the organization's data retention policy.

💡CRM

CRM stands for Customer Relationship Management, which is a system used to manage a company's interactions with current and potential customers. In the video, the CRM system is specifically mentioned as a tool through which the organization processes data cleansing in accordance with their retention policy.

💡Consent

Consent in the context of data protection laws like GDPR refers to the affirmative agreement from an individual to the processing of their personal data. The script mentions that data gathered on the website for service promotion and delivery is retained for 12 months from the date consent is provided.

💡Job Applicant Information

The script discusses the specific retention policy for job applicant information, stating that data and documents related to unsuccessful job applicants will be retained for six months from the date of notification to the candidate. This highlights the organization's approach to handling personal data of individuals during the recruitment process.

💡Employment Records

Employment records refer to the documentation related to an individual's employment history, including personal information, job performance, and other relevant data. The video script specifies that an organization will retain employment records and related personal information for five years after the employment ceases.

💡Data Portability

Although not extensively discussed in the script, data portability is mentioned as a topic for a future video. It refers to the ability of data subjects to request and transfer their personal data between different service providers or platforms. The script implies that this is another aspect of data protection and compliance under regulations like GDPR.

Highlights

GDPR does not specify a data retention period, but requires organizations to inform people about how long they will keep data or how they determine retention time.

There are two key steps for data retention under GDPR: setting a retention time and having a policy, and implementing that policy.

Organizations must have a clear retention policy that details how long they will keep different types of information.

The company's retention policy includes specific time frames for retaining business information, such as financial, insurance, and tax records.

For personal data, the policy specifies retention periods for website visitor data, job applicant information, and employee records.

Website visitor data is retained for 12 months from the date of consent.

Unsuccessful job applicant information is retained for 6 months from the date of notification.

Employee records and personal information are retained for 5 years after employment ceases.

Having a clear retention policy helps organizations know what information they hold and for how long.

Implementing the retention policy is the second key step, which involves regularly reviewing and updating data according to the policy.

The company conducts a biannual data cleanse exercise to ensure compliance with the retention policy.

Specific processes are in place to clean up data from the CRM system based on the retention policy.

Data retention is an important aspect of GDPR compliance that requires careful policy development and implementation.

Clear communication about data retention practices helps build trust with customers and employees.

Regularly reviewing and updating data retention policies ensures ongoing compliance with GDPR requirements.

Automating data cleansing processes can help organizations efficiently manage data retention.

Data portability will be the topic of the next video in the compliance journey series.

Transcripts

play00:00

[Music]

play00:03

hi and welcome back to GDP our

play00:07

compliance journey and what a glorious

play00:10

day and what could be better than

play00:12

talking about data retention first

play00:15

things say is that as far as the GDP r

play00:18

is concerned it doesn't say anything

play00:20

about how long you have to keep data for

play00:23

is there's nothing in there about that

play00:25

but what you do have to do is tell

play00:27

people how long you're gonna keep it or

play00:28

how you're gonna work out how long

play00:31

you're going to keep it so really

play00:34

there's two steps as far as retention

play00:35

Inc is concerned one is to set the

play00:39

retention time and to have a policy and

play00:41

step two really is to have a means of

play00:44

implementing that policy so we'll take

play00:46

you through the policies that guideline

play00:48

have put in place and then we'll talk

play00:50

about how we implement those policies

play00:54

those of you that have watched our

play00:56

previous videos will have seen our

play00:58

approach to policy I've pulled up our

play01:01

information retention policy and I have

play01:06

a printout of that policy available and

play01:10

here's the collection of statements that

play01:13

make up our retention policy so in here

play01:16

we have detailed how long we are going

play01:20

to keep the information relating to our

play01:22

business so there are some business

play01:25

information here around how long we

play01:28

retain financial insurance and tax

play01:32

information but there's also information

play01:36

that relates to individuals so the first

play01:40

statement information gathered on our

play01:42

website for the purpose of promoting and

play01:44

delivering our service is retained for

play01:46

12 months from the date of consent being

play01:49

provided and if somebody applies for a

play01:51

job with guideline we have a policy

play01:53

statement here that says information and

play01:56

documents relating to unsuccessful job

play01:58

applicants will be retained for six

play02:00

months from date of notification to the

play02:03

candidate and if we're talking about

play02:05

personal information of employees we say

play02:09

the employment records and so forth will

play02:12

retain through five years

play02:13

after employment ceases so we've been

play02:16

very clear about what information we

play02:20

hold and how long we are going to retain

play02:22

it for across the business now as I said

play02:26

there's a second step which is to

play02:29

implement those policies so we have a

play02:33

regular data cleanse exercise scheduled

play02:36

and that takes place every six months

play02:39

where we run through the entirety of our

play02:42

retention policy and we have specific

play02:45

processes that go through our CRM and

play02:48

clean up any data according to the

play02:53

retention policy so as always we hope

play02:57

you found that useful next time we're

play03:00

going to be talking about data

play03:01

portability and so until then as always

play03:04

we hope you find your compliance simple

Browse More Related Video

GDPR Compliance Journey - 04 Processing Activity Record

The Data Flow Mapping Tool – the quick and easy way to document personal data processing

How to Implement GDPR Part 2 :Roadmap for Implementation

GDPR Compliance Journey - 05 Policy

Data Inventories and Data Maps: The Cornerstone to GDPR Compliance

GDPR Compliance Journey - 18 Reviews and Third Party Reviews

Rate This

5.0 / 5 (0 votes)

Summary
Outlines
Mindmap
Keywords
Highlights
Transcripts
Related Tags
Data RetentionGDPR CompliancePolicy SettingData PrivacyRetention TimeInformation PolicyData CleansingBusiness ComplianceEmployee RecordsJob Applicant Data