Ensuring compliance with our regulatory obligations is vital to the operation of our business. From the way we handle customer personal data to the security of employee data, it is important that we are compliant with the law and maintain good data governance procedures.
This policy is important as it sets out our policies for keeping personal data and when personal data should be deleted.
Please read this policy in full and ensure that you are familiar with its content. If you have any questions about this policy, please contact Andrew Stanley.
1.1 We are under a legal obligation to keep personal data for no longer than is necessary for the purpose for which we process the personal data. That means that we cannot keep data forever or just because it is convenient for us. We must have a specific business reason to process the personal data and that justification will be an important factor in determining the length of time for which we can process personal data. Personal data that is kept for longer than is strictly necessary represents a significant and unnecessary risk for us.
2.1 To ensure that we comply with our legal obligations, we have set out guideline retention periods in Annex 1. Please note that the periods are only best practice guidelines and there may be times when it is inappropriate to delete the data.
3.1 We must ensure that we securely delete personal data on the expiry of the time periods set out above and our Data Protection Officer is responsible for identifying records that have met their required retention period and supervising their destruction. If you believe that your documents are approaching the end of the retention period, please highlight this to Andrew Stanley in good time.
3.2 It may not always be appropriate to delete personal data after the expiry of the retention period. We may be able to take other steps to ensure that we comply with the law. For example, we may be able to anonymise the data in such a way that an individual can no longer be identified from the data.
3.3 If you have any concerns about the deletion of data after the expiry of the retention periods above or if you are considering taking steps to anonymise personal data, please speak to Andrew Stanley.
4.1 The effectiveness of this policy depends on our employees. If you feel that you or someone else has violated this policy, please report the incident to Andrew Stanley.
6.1 We will periodically review this policy and its procedures to ensure that we always operate in accordance with the law. That means that we may check from time to time that this policy is being correctly followed and complied with.