You should set out your information retention periods and how you will erase or dispose of personal data, whether held electronically or in paper form.
For many firms, this issue will be challenging and our advice is to create a plan in relation to retention and work towards compliance based on a risk-based analysis of the personal data you hold. Focus on the riskiest areas of data processing, ie any files holding health or criminal offence data. Then ensure that you monitor compliance with this plan and record this in your record of processing.
The GDPR states that personal data should be kept for no longer than necessary for the purpose for which it was processed. Data subjects must now be provided with information about the retention period for personal data at the point that data is collected, through the fair processing information that you provide them with.
As part of your record of processing, you will require to identify what personal data you hold, the purpose for which it is held and the relevant retention period for that personal data.
Law Society of Scotland guidance
The Law Society will be updating its guidance on the ownership and destruction of files in response to the introduction of the GDPR.
It is important to note that this will only deal with client files and will provide guidance on different types of client files. The onus is on each organisation to decide how long to keep personal data under the GDPR, although the retention period should be guided by legal requirements and professional guidelines. The Information Commissioner’s Office states that if an organisation keeps personal data to comply with a requirement like this, it will not be considered to have kept the information for longer than necessary.
There will be several examples within the sector where the guidance is that papers should be kept indefinitely because it is very difficult to predict when they may still be required for the purpose of providing legal advice. This should be reviewed on a systematic basis.
Consideration will also have to be given to how long human resources records are retained in relation to staff.