Anonymisation and Retention
What does GDPR say about retention?
The GDPR does not specify maximum or minimum time periods that personal data should be held, instead it says:
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
This is the fifth data protection principle. In practice, it means that you will need to:
- review the length of time you keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date.
A bit like keeping a tidy desk, it is good practice to regularly review the data you hold and archive or anonymise those data you no longer have a need to keep.
What is Anonymisation?
Anonymisation removes all the personally identifiable information from your customer records so no living individual could be identified were that data to be accessed.
By anonymising your data, you will still maintain important business information about sales to feed into your reporting and planning, whilst remaining GDPR compliant.
If you delete customer records, business information is lost unnecessarily.
When should I do it?
Each organisation has a different customer retention pattern and we would strongly advise that you find out what that is before making a decision on your retention period. Some organisations' customers lapse after 12-18 months, others might 6-7 years.
For Vital Statistics clients, we have written a simple report you can run on your customer database to identify your lapse rate. We have also developed additional functionality to automatically anonymise your data held in VS in line with your published retention period.
Tell us what your retention period is, and we will do the rest.
If you are not a VS client, call us on 0203 0211 622 for more information.
How to Anonymise my data
DO NOT DELETE YOUR CUSTOMER RECORDS!
By deleting your customer records you will lose valuable information about sales unnecessarily. Instead, we recommend that you anonymise the bits of information in the customer record that make it personally identifiable with the hash symbol, including the date the anonymisation took place in at least one field.
For example:
John Smith might become ####15MAY2018####
Big House ####
Main Road ####
Cityville ####
XY43 9PP XY43 9##
Considerations:
- Be Aware of leaving information that could unintentionally identify a customer e.g. check notes fields, customer service comments, complaints etc.
- Ensure all look-ups are anonymised - for example if you had downloaded a complete list of your customer database into Excel and there is the customer reference number against their name and address - then the ticketing system is NOT anonymised because the customer reference number could still be used as a lookup against that excel file.
- Could the data you are keeping be combined with other data to identify an individual? An example could be that you keep the postcode or you have appended the latitude and longitude of the customers address - on it's own that data doesn't reveal the customers address - but as soon as you combine that with other data (i.e. an address lookup file that has Lat Long against it) - you now have the customers address, which under GDPR would reasonably constitute PI
Which bits of data are not PII?
Any information that cannot be used to identify an individual does not need to be anonymised.
For example, once you have anonymised the customer contact house name or number and customer name, you may choose to keep the postcode. This decision should be taken based on your organisations attitude to risk and the likelihood of a lone postcode being accessed and used maliciously.
KEEP YOUR SALES DATA!
With the customer contact information removed, the sales data is still of value to your organisation so do not delete this.