Data Retention Periods for SaaS Platforms: A UK Perspective
In today's digital age, data is the new gold. For SaaS platforms, this data often includes information from customers or employees. But how long should this data be retained? Let's delve into the UK guidance on this matter.
The Storage Limitation Principle
According to the UK's Information Commissioner's Office (ICO), the principle of storage limitation is clear: you must not keep personal data for longer than you need it. Here are some key takeaways:
Purpose of Holding Data: The duration for which you retain data should be justifiable based on the purposes for holding that data.
Retention Policy: It's essential to have a policy that sets standard retention periods, wherever possible, to comply with documentation requirements.
Regular Review: Periodically review the data you hold and erase or anonymise it when it's no longer needed.
Right to Erasure: Individuals have the right to erasure if you no longer need the data.
Public Interest Archiving: Data can be kept longer if it's only for public interest archiving, scientific or historical research, or statistical purposes.
Setting Retention Periods
The UK GDPR doesn't specify exact time limits for different types of data. Instead, it's up to individual organisations to determine and justify these periods. Here are some factors to consider:
Stated Purposes: Data can be retained as long as one of the processing purposes still applies. However, retaining data indefinitely "just in case" is not recommended.
Legal or Regulatory Requirements: Some laws or regulations might require certain records to be kept for a specific period.
Industry Standards: Industry guidelines can serve as a starting point for determining retention periods. For instance, credit reference agencies in the UK keep consumer credit data for six years.
Privacy Impact: Always balance your data retention needs with the potential impact on individuals' privacy.
Practical Examples:
1. Employee Data After Termination of Employment:
From the information provided earlier, an employer should review the personal data it holds about an employee when they leave the organisation's employment. While some data, like references or pension details, might be retained for future requirements (e.g., providing references or pension arrangements), other data that is unlikely to be needed again should be deleted. This includes details like the employee’s emergency contact details, previous addresses, or death-in-service beneficiary details.
2. Data from Potential Job Applicants:
For job applicants who were not selected, unless there's a clear business reason, the employer should not keep recruitment records for unsuccessful applicants beyond the statutory period in which a claim arising from the recruitment process may be brought. However, if you wish to consider these applicants for future opportunities, you might retain their data with their consent, but it's essential to review and update this data periodically.
3. Customer/Account data
A social media platform might retain personal data about its customers, such as address and date of birth, for as long as the customer has an account. Even after closure, some data might be retained for legal or operational reasons for a set period, the rest will be deleted after a set period of time from the last login. This period is for the company to decide and it should aim to strike a balance between not keeping the data for longer than necessary and the practical needs of the business. E.g. you could say you’ll keep the data for 30 days after end of the contract if data is sensitive or up to a year if not.
4. HMRC Guidance on Customer or Transactional Data:
According to the HMRC's guidance, the default standard retention period for records is 6 years plus the current year, often referred to as 6 years + 1. This means that records should be kept for a total of 7 years. This period is defined as 6 years after the end of the last company financial year they relate to. This guidance is particularly relevant for transactional data or any data that might be relevant for tax purposes.