ProvePrivacy Logo | Blue Green

Back to home


Data Retention

Controls Management | ProvePrivacy | Article Image 4

Data should be retained only for as long as it is necessary.  This means you will need to retain data whilst it is required for the processing which you need it for, but it also means that you might be able to retain the data for longer if you have a legitimate reason to continue holding it.

The life of an information asset should pass through a number of stages:

  • Data collection
  • Data usage
  • Retention trigger point
  • Retention period
  • Data destruction.

A good data management process will therefore recognise when data is required for its original use and the trigger point for retention.  The retention period should always be ‘for as long as is necessary’ but this could be anywhere from immediate to many years.  The rationale for the retention and the period should be documented and finally, action should be taken when the retention period comes to an end.  This action may be ‘destruction’, but equally it may be to ‘review’ the retention period, for example where there is a significant risk of litigation.

A practical example of this can be analysed with a common information asset which most organisations would recognise:

Information Asset: Health Surveillance (H&S)

Retention Trigger: Last Incident

Retention Period: 40 years

Rationale: Health & Safety at Work Act 1974

An example of a good data retention schedule can be found on the ICO’s website:

You might also like

Scroll to Top

Contact us

If you would like to ask more questions or to arrange training, complete the form below and we will respond shortly.

See our Privacy Statement for more details.

Get expert tips and business insights