Storing data under GDPR may take a while to adjust to comfortably, with full awareness of the law and your requirements.
We want to outline all the basics – everything from how long data can be stored, to an individual’s rights, to security measures, and to where GDPR applies in your business. This will give you a framework for getting started, and provide next steps as you work towards full GDPR compliance.
Below, you’ll find a breakdown of key terms as well as the measures you can take today.
How long can personal data be stored under GDPR?
The exact timeframe for keeping sensitive personal data– that is, anything with a specific ID on who a person is, where they live, what they do, or their political and philosophical opinions – will differ from business to business.
The law advises that you aim for the shortest time possible. Subscriptions, historical research, warranties and employment tax duties are some of the factors that can influence how long you can store personal information.
What is consent for data storage?
Official consent is only one of six lawful grounds for staying GDPR compliant.
However, consent is defined by:
- Signing a form
- Saying ‘yes’ to a vocal request on record (i.e. phone line)
- Affirming an email request
- Selecting an ‘opt in’ button online
- Granting permission through user dashboards or a UI
If you use the same data for anything but the original stated purposes, then consent must be gained again.
What is the right to data access?
To be GDPR compliant, you need to respect an individual’s rights under GDPR, including the right to access. This right means that you must be able to give someone their data on request, and explain why you collect and store it.
They can do so verbally, in writing, via social media or through a management hierarchy if they work within your organisation. In addition, you must inform them how they can raise a complaint with the Information Commissioner’s Office (ICO) or another regulatory body if they’re concerned about data breaches and your ability to prevent them.
What is the right to be forgotten?
In the interest of public data, you should erase any data that is no longer relevant, has been collected illegally, or never received consent.
Once more, it has to be done as soon as possible. There’s a double responsibility too – the party who processed the personal data and/or collected it must also delete whatever they have.
What is the purpose of data portability?
You’ll benefit from personal data in your day to day, but the individual themselves may want it too. It is within their rights to ask for the data back in a format they can understand.
This is so that data subjects can take advantage of their information, if they want to, or pass it to another data controller.
What is a data protection officer, and does my business need one?
The ICO sends data protection officials (DPOs) to test and advise on your current GDPR framework. They’ll do it for all types of data – from personal to more general, non-identifying online ID.
You are required by law to go under review from a DPO in three circumstances:
- You process large-scale data of user behaviour
- You are a public body
- You handle data for procedural or criminal cases
Understanding your role in legitimate interest, as well as the precise nature of compliant data storage, leads to the creation of better, more practical rules for your organisation. Everyone who comes into contact with data will know how and why things should be managed in a certain way.
However, you’re still at risk of a breach. And if it occurs, you need top legal advice to manoeuvre through it. We can help with the ramifications of not storing data under GDPR correctly. Speak to us on 0333 200 5859. Our solicitors can mediate all issues with any data, including what we’ve discussed here.