CPD
The General Data Protection Regulation (GDPR), which applies to the processing of personal data, came into force on 25 May 2018. It sets out obligations on data controllers (who exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing) and processors (who act on behalf of the relevant controller and under their authority), and provides strengthened protections for data subjects.
Data retention remains one the most challenging GDPR compliance requirements for accountants. Because of its complexity and its dependence on the legal basis of the data collection, it is one of the most misunderstood topics.
Processing is defined in Article 4(2) of the GDPR with three relevant processing operations for data retention: storage, destruction and the right to erasure. The right to erasure, sometimes called the ‘right to be forgotten’, is detailed in Article 17.
Because of its complexity and its dependence on the legal basis of the data collection, GDPR is one of the most misunderstood topics
Is it processing?
Erasure operates in conjunction with the storage limitation principle in Article 5 to govern data retention. There are two points to consider:
- Case law has established that processing presupposes an act in the sense of a human activity. Therefore, storing data with no intention to use it is not processing. Personal data stored on backups can be retained if the controller is not able, or will not attempt, to use the data to make any operational decisions about any individual or in a way that affects them, and there are technical and organisational controls.
- Furthermore, personal data should not be kept in a form that permits identification of individuals for longer than is necessary for the purposes for which the personal data is processed. Nevertheless, data may be stored for longer periods where the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes where there are appropriate technical and organisational measures.
A matter of time
However, a controller must determine, at the time of collection, the period for storing personal data. At a minimum, any retention policy should determine the manner of verifying regularly whether the data continues to be useful for the purposes of the processing.
The accountant controller is required to inform individuals (data subjects) of this period that personal data is stored or how it determines its erasure in its transparency notice. Furthermore, the purpose test in Article 17(1)(a) says that the controller has an obligation to erase personal data when it is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
Case law has consistently held that the principles of data protection require the retention of personal data to be foreseeable and proportionate in relation to the collection purpose, so retention periods must be limited to that purpose. Courts in general have not allowed the indefinite retention of personal data records as it is not considered proportionate.
The accuracy principle in Article 5(1)(d) requires that personal data be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay.
In regulator investigations, fines have been imposed where there was a failure to follow the controller’s own data retention policies
In summary, there are six legal bases for retaining personal data and additional restrictions for special-category data that need to be considered, but not all of the choices can be exercised by a controller.
Right to erasure
Individuals have a right to have personal data erased and to prevent processing if one of the below conditions applies:
- the individual withdraws consent
- the individual objects to the processing based on legitimate interest or public interest and there is no overriding legitimate interest for continuing the processing. Where direct marketing or profiling is based on legitimate interest, the individual only needs to object
- the personal data was collected in relation to the offer of information society services – such as websites, apps, search engines, online marketplaces and online content – to a child based on parental consent
Therefore, in relation to processing of data based on consent, public interest (sometimes) and legitimate interest, it is the individuals who have the right to erasure.
A controller, on the other hand, has obligations to erase the data:
- where the personal data is no longer necessary in relation to the purpose(s) for which it was originally collected/processed
- where the personal data was unlawfully processed
- where the personal data must be erased in order to comply with a legal obligation
Controller requirements
It is necessary to consider the above in data retention policies to determine which one of the above conditions applies. All that laws do is dictate minimum or maximum retention periods under Article 17(1)(e). The controller ultimately needs to consider whether the data should be retained for a particular purpose under Article 17(1)(a).
The right can also be facilitated by moving the selected data to another processing system, making it unavailable to users or temporarily removing published data from a website.
There are also five exceptions for refusing to erase data – including for a legal obligation – that cover tax, employment and accounting records.
Processor requirements
Where an accountant is acting as a processor, which is common in payroll or insolvency matters, they should normally return the data to the controller at the end of the period of processing contained in the processing agreement required under Article 28, unless there is a legal obligation or another legal basis to retain. For example, in a legal dispute there might be a legitimate interest to retain and the accountant is then acting as the controller.
Retention schedule
Accountants can make sense of this complex list of rules with data protection policies to establish standards and procedures from the collection of personal data to its erasure/destruction. Record management practices should follow best practices and minimum legislative requirements, meeting the ‘data minimisation’ and ‘storage limitation’ principles. In regulator investigations, fines have been imposed where there was a failure to follow the controller’s own data retention policies.
Accountants should consider the following principles:
- A record should be retained/reviewed in accordance with the retention schedule through regular audits to determine whether a record is necessary.
- The destruction of records should require approval on a regular basis and be defined in the policy.
- Computer systems and software should be monitored and maintained in such a manner as to ensure the preservation and integrity of stored electronic records for the duration of assigned retention periods.
More information
Further resources on aspects of GDPR implementation include:
ACCA guide to data protection responsibilities
Brendan Quinn’s Data Protection Implementation Guide: A Legal, Risk, and Technology Framework for the GDPR