First of all, there is one significant question to be answered;
Is this data "Identifiable"?
In other words, can this data, either on it's own or when used with other data you have, or may reasonably obtain in future, identify an individual person.
If data is identifiable, then the law says we must only keep it in that identifiable form, for as long as is necessary to perform the purpose for which it was collected.
Let's look at some examples;
1. Orders, Invoices & Accounting Records
Most accounting records will likely name individual persons, whether that is the accounting contact, finance manager or the end customer. That means that invoices, orders, emails or other records relating to an order are all personal data of that individual.
2. Records of Conversations, Call Recordings, Emails, Notes
Even if it's a hand-written note, if there is anything on that which names an individual, or has a reference to some other data source which names the individual, even if it is stored in a folder pertaining to a person but in itself has no identification upon it, it is personal data of the identifiable person.
Recorded telephone calls, screen recordings, even CCTV or employee photo's which can all commonly be related to a userid, employee number, workstation login or name, all also classify as identifiable personal data where there is a trail that can lead back to an individual person.
One very commonly missed area are emails, particularly emails between a person's line manager and others in the business which discuss that individual, in any context. If either party can identify about whom those emails pertain, those emails are also identifiable personal data.
3. IT System Logs (User Access, Audit Histories, Permissions Records)
These may commonly only contain a user ID, but that user ID can be traced back to an email or an employee.
We have seen cases where employees share computers, even share logon ID's (which is very much frowned upon for security reasons), but where in conjunction with either CCTV, employee shift patterns, emails or timeclock data, can identify which employee was using that workstation. For example, Joe and Steve work in the warehouse and are the only people who use Computer A. Joe is working 9am to 5pm, Steve from 5pm to midnight. An entry recorded against Computer A at 11am is therefore more likely than not Joe.
4. Data Subject Requests
In order to comply with the GDPR we're requried to maintain records of Data Subject Requests, which are in themselves, the personal data of the people who make those requests.
So, "identifiable personal data" really can be almost any data we process which has any relationship to an individual.
Deciding how long therefore that we can keep it will not always be a simple process. We must consider;
- What purpose retaining that information serves for the business
- Is there any overriding legal obligation to retain that information
- Is there any other "legitimate interest" to keep it for a given period, such as "bringing or defending a legal claim"
- Would it be considered as "Fair, Necessary and Proportionate" to keep the data, in it's entirety, or even in part, by a reasonable person who has no particular interest in that data
- Could the business take any steps to seperate useful "business information" from "identifiable personal information" to render the business information anonymous to all but a controlled group of people for explicit purposes, like legal obligation or legal claims.
So how long can you keep data in an identifiable form?
There is no hard and fast answer to this question and it has to be a fair and reasonable judgement decision based on your own unique evaluation.
The law says we can only keep data in an identifiable form for as long as it serves the purpose that it was originally collected for, so in the case of an order, you may consider that once that order is fulfilled, you delete it. For the invoice that goes along with it, you are requried by law to keep that for 7 years.
If the product sold has a 10 year warranty, you would be within your reasonable rights to retain the order and/or invoice for 10 years from the data of purchase, or perhaps if your historic analysis shows people have made warranty claims up to 15 years after purchase, even though the warranty has expired, you could legitimately retain those records for 15 or even 20 years in order to protect your interests of detecting invalid claims.
Keep data for only as long as it is necessary, fair and proportionate.