Anonymisation, Retention and Deletion
What does GDPR say about retention?
The GDPR does not specify maximum or minimum time periods that personal data should be held, instead it says:
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
This is the fifth data protection principle. In practice, it means that you will need to:
- review the length of time you keep personal data;
- consider the purpose or purposes you hold the information for in deciding whether (and for how long) to retain it;
- securely delete information that is no longer needed for this purpose or these purposes; and
- update, archive or securely delete information if it goes out of date.
A bit like keeping a tidy desk, it is good practice to regularly review the data you hold and archive or anonymise those data you no longer have a need to keep.
What is Anonymisation?
Anonymisation removes all the personally identifiable information from your customer records so no living individual could be identified were that data to be accessed.
By anonymising your data, you will still maintain important business information about sales to feed into your reporting and planning, whilst remaining GDPR compliant.
If you delete customer records, business information is lost unnecessarily.
When should I do it?
Each organisation has a different customer retention pattern and we would strongly advise that you find out what that is before making a decision on your retention period. Some organisations' customers lapse after 12-18 months, others might 6-7 years.
For P7 clients, we have written a simple report you can run on your customer database to identify your lapse rate. We have also developed additional functionality to automatically anonymise your data held in VS in line with your published retention period.
If you are not a P7 client, call us on 0203 0211 622 for more information.
How to Anonymise my data
DO NOT DELETE YOUR CUSTOMER RECORDS!
By deleting your customer records you will lose valuable information about sales unnecessarily. Instead, we recommend that you anonymise the bits of information in the customer record that make it personally identifiable with the hash symbol, including the date the anonymisation took place in at least one field.
John Smith might become ####15MAY2018####
Big House ####
Main Road ####
XY43 9PP XY43 9##
- Be Aware of leaving information that could unintentionally identify a customer e.g. check notes fields, customer service comments, complaints etc.
- Ensure all look-ups are anonymised - for example if you had downloaded a complete list of your customer database into Excel and there is the customer reference number against their name and address - then the ticketing system is NOT anonymised because the customer reference number could still be used as a lookup against that excel file.
- Could the data you are keeping be combined with other data to identify an individual? An example could be that you keep the postcode or you have appended the latitude and longitude of the customers address - on it's own that data doesn't reveal the customers address - but as soon as you combine that with other data (i.e. an address lookup file that has Lat Long against it) - you now have the customers address, which under GDPR would reasonably constitute PI
Which bits of data are not PII?
Any information that cannot be used to identify an individual does not need to be anonymised.
For example, once you have anonymised the customer contact house name or number and customer name, you may choose to keep the postcode. This decision should be taken based on your organisations attitude to risk and the likelihood of a lone postcode being accessed and used maliciously.
KEEP YOUR SALES DATA!
With the customer contact information removed, the sales data is still of value to your organisation so do not delete this.
If a customer requests to be deleted from your database you must comply "without undue delay" in the terms of the GDPR.
When Purple Seven acts as a processor of your data, we hold essentially a copy of your ticketing database which is updated each night with any changes that have occurred on your master database. However, if you have DELETED a customer record, this cannot be updated on P7 systems as it no longer exists. There are two approaches:
1. Anonymise: instead of deleting customer records if you choose to anonymise, as described above, by removing all personally identifiable information, our systems will automatically detect the changes you have made and update the P7 copy of your data. In this instance, you do not need to contact us as the process is automated.
2. Deletion: if you have deleted the customer record fully from your systems, you will also need to submit a request for this to be deleted from the P7 copy of your data. To ensure we are able to identify the correct customer and any associated or duplicate records, we will need some personal information that should only be supplied via secure, encrypted channels.
Requesting a Customer Deletion
1. login to your Case Management account
2. Raise a case for Customer Deletion
3. Supply information about the customer record to be deleted including
- Email address
- Customer ID (from your ticketing system)
- Customer ID (from P7 application)
NOTE: If you are aware the customer has multiple accounts on your ticketing system, please provide details for all.