Connect with us

GDPR & Data Retention Policies – Best Practices & Step-by-Step Guide for Small Businesses

6 October 2020

Small businesses often collect personal data about customers and employees during the ordinary course of their business operations.

However, many are unaware of the importance of having coherent policies and systems in place to ensure that they are compliant with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

The government body which regulates and enforces the provisions of the act and associated regulations is the Information Commissioner’s Office (ICO). Large corporations have entire departments dedicated to the management of personal data collected as part of their day to day activities.

While the requirements for small businesses are not so onerous, it is important to have data compliance embedded in the standard corporate governance scheme of your business.

Brexit and data privacy law

The GDPR is an EU regulation which was incorporated into English domestic law by the Data Protection Act, 2018. The ICO has indicated that it does not expect Brexit to dramatically alter the legal requirements. However, depending on the terms of the deal reached with the EU at the end of the transition period, the ICO expects that the UK will have the right to keep this legal framework under review.

What is personal data?

Personal data is defined in the Data Protection Act as “data from which a living individual can be identified or identifiable (by anyone), whether directly or indirectly, by all means reasonably likely to be used.” It is important to note that this relates to “living individuals” so data about corporate entities is not caught by this legislation.

Personal data includes information such as a person’s full name, mobile phone number, address or credit card details. Simply put it is any information which, if pieced together, could identify a person.

What is a data retention policy?

The ICO does not stipulate that a small business should have a written data retention policy. However, as a matter of good practice, it is advisable to have such a policy reduced to writing and easily accessible to customers and employees. In a small business environment, it would be permissible to combine the “retention” aspect with your overall data collection policy.

The policy must set out in clear terms:

  • What data is collected;
  • What that personal data will be used for;
  • How periodic reviews of the personal data will be undertaken;
  • The length of time your business will retain personal data;
  • How the personal data will ultimately be disposed of.

How long can you retain personal data?

This depends very much on the nature of your business and the purpose for which you have collected the data. The main principle is that you should not retain any personal data for longer than you need to. Certain information (such as any information required to be retained for legal or tax purposes, including VAT) has to be retained, by law, for a defined period of time.

Do you need a data retention policy?

As more businesses move online or have a strong digital component to their business operations collection of data, for example by the use of website cookies, will inevitably increase. It is a matter of good business practice to have simple but effective policies in place to ensure that this data is managed lawfully.

What’s the importance of data retention policies?

Failure to have proper data retention policies in place can negatively affect a business. In serious cases, it could lead to a substantial fine from the Information Commissioner’s Office or even criminal proceedings. There is also the risk of severe reputational damage if sensitive personal data, collected as part of your business operations, was compromised to the detriment of the subject of that data.

How to create a data protection policy

A good data protection policy should offer your customers protection and also be entirely relevant to the needs and functioning of your business. The data protection policy should incorporate your data retention policy. to achieve  that goal you must:

  • Step 1 – analyse the information your business collects as part of its day to day operations;
  • Step 2 – identify the purpose for which this information is used, and that it is really needed by your business;
  • Step 3  - check that your customers have given clear consent to their information being collected by you and for the purposes for which it is being used;
  • Step 4 – check how  this information is being stored and whether it is secure?
  • Step 5 – check that you are keeping this information for no longer than is strictly necessary or that you have legal obligations to retain this information for a longer period of time?
  • Step 6 – consider how often you should review the information being held by your business to ensure that it is still needed and is accurate;
  • Step 7 – have a clear policy as to how you will dispose of the data obtained and that the destruction is overseen and recorded.

Once you have gone through these steps you will be in a better position to develop a data protection policy. Transparency is a fundamental principle of data protection law and it is thus vital that the persons who are providing their personal data must be made aware that and consent to:

  • Their personal data is being collected;
  • How their personal data will be used;
  • Their rights to correct personal data, to be provided with copies of all personal data held by your business and the right for it to be removed and destroyed;
  • The details of your data retention policy.

How does my business dispose of data?

The ICO recommends that, for small businesses, ordinary deletion of electronic files and thereafter emptying the recycling bin will be sufficient. However, you should bear in mind that this does not completely erase data which can still be accessed using sophisticated data recovery programmes. There are off the shelf products that will “wipe” hard drives which can be used if the information is particularly sensitive or there is a risk of it being unlawfully accessed. Hard copy documents should be shredded and disposed of securely.


Data Protection law is particularly complex. The definitions in the relevant Acts and Regulations have been drafted in extremely broad terms in order to cover a wide array of business and other organisations which may collect personal data. This complexity can often have a bewildering effect on a small business owner as they struggle to work out whether they are compliant with the law. A solid data protection and retention policy is therefore a must for any business.

Clear guidelines and processes within your business will make the management of data and compliance with the law much easier. If you are concerned and want to be certain that your business is compliant with the data protection laws you should consult a specialist lawyer who will analyse your business and advise you exactly on what your obligations are in terms of the Data Protection Act and whether there are any changes necessary to your existing policies or procedures.

This article is provided by Burlingtons for general information only. It is not intended to be and cannot be relied upon as legal advice or otherwise. If you would like to discuss any of the matters covered in this article, please contact Andrew Pike or write to us using the contact form below.

Get in touch
How can we help?
Site-wide Form
Sign up to our monthly newsletter

Complete the form below to receive our latest news, articles and insights delivered straight to your inbox.

Newsletter Form (#2)
We care about the protection of your data. No spam. Unsubscribe anytime. Read our privacy policy for more.
A personal service, tailored to your needs, from an award-winning team
Burlingtons Legal
Conveyancing Quality
Legal 500
linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram