Data storage
- What types of data need more protection?
- How do I know if personal data is high risk or sensitive?
- How long should I store data?
- What’s the best way to destroy documents?
- What data protection responsibilities do I still have, even if my business is closing down?
- I'm closing down my small business. Do I have to let people know I’ll no longer be holding their data?
What types of data need more protection?
There are some types of personal data that are likely to be more sensitive known as special category data under the UK GDPR.
This includes personal data revealing or concerning:
- racial or ethnic origin;
- political opinions;
- religious or philosophical beliefs;
- trade union membership;
- genetic data;
- biometric data (where used for identification purposes);
- health;
- a person’s sex life; and
- a person’s sexual orientation.
If you’re processing any of these types of data, you should give particular consideration to how and why the data is used, and make sure you only use it when it’s absolutely necessary.
How do I know if personal data is high risk or sensitive?
You’re probably already familiar with the types of personal data that are generally considered high risk or sensitive based on how you feel about sharing it when it’s about you or someone in your care.
For example, many of us would be cautious about sharing information about our medical history, political opinions, or sexual orientation. But if asked for our email address, we’d probably be less concerned. It would depend on who is asking and what we think might happen to the data.
Data protection law takes this idea and makes some firm rules about the types of data that need more protection, which are known as the ‘special categories’ of personal data.
Outside of these special categories, knowing whether personal data is high risk or sensitive also partly depends on the risk of that data falling into the wrong hands, which your risk assessment - will help you to work out.
How long should I store data?
You should only keep personal data for as long as you need it. There aren’t any set time limits in data protection law because it depends on your situation.
Think about why you collected people’s personal information in the first place and the reason you’re processing it, known in data protection law as your lawful basis for processing. You must think about, and be able to justify, how long you need to keep it, and this will depend on your reasons for having it.
For example, Claire collected Bill’s name and address to give him a quote on having his house redecorated. Bill contacts her and explains that he’s changed his mind and doesn’t want the job doing anymore. Claire has no reason to keep Bill’s details any longer and deletes them.
Where possible, you’ll also need a policy which sets out how long you keep data for and why. When you no longer need personal data for the reason you collected it, make sure you destroy it securely or anonymise it.
However, if another law says you must keep certain records for a set period, then you should do so. In the example above, Claire may need to keep details of payments she has received from customers for when she is completing her tax returns.
What’s the best way to destroy documents?
Data protection law doesn't say exactly how you should destroy documents that you no longer need. But you need to make sure it’s done securely and in a way that means the information can't be recovered by anyone else.
For example, shredding documents instead of putting them into general waste makes it much more difficult for someone to see information they’re not authorised to see, either accidentally or deliberately.
We’ve produced a short guide on practical methods for destroying documents that are no longer needed which includes tips on how to destroy electronic files securely and has been written with small organisations in mind.
What data protection responsibilities do I still have, even if my business is closing down?
Even if your business is closing down, that business continues to be the controller of the personal data of your customers, clients, and other people you did business with, and data protection laws still apply.
The term ‘data controller’ or ‘controller’ refers to the organisation, business or company that decides why and how people’s personal information is handled. It can be a limited company, or a sole trader and all the different types of companies in between. It’s a legal entity rather than a person who works at the organisation, business, or company.
In practice, if a business is liquidated or goes into administration, it’s unlikely to be the person who used to own the business who carries on making practical decisions to do with the closure. More likely, the liquidator or administrator becomes the new most senior member of staff, and they will take over all key decisions.
Of course, not all businesses that close go into liquidation or administration. Sometimes a business owner may want to stop doing business. Generally speaking, if you still have a legal obligation to continue holding data for a length of time, your business will continue to be the controller of that personal data and data protection laws still apply.
This includes continuing your registration with the ICO unless you’re exempt.
For example, Brian is retiring as a GP and closing his practice. The British Medical Association requires GPs to retain patient records for set periods of time. As Brian must retain this data, and as they’re electronic records, Brian isn’t exempt from having to register with the ICO. He must therefore arrange for his registration to continue.
Even if your business is in good health, it’s good practice to draw up a plan for what should happen to any personal data you need to hold if you stop trading. Your plan could include:
- the personal data you’ll need to keep;
- why you’ll need to keep that data, such as for tax reasons or other legal obligations;
- how and where the data will be stored securely, either by you or a third-party organisation;
- how the data can be accessed if needed;
- how long you need to keep the data;
- your plans for ensuring the data stays accurate where necessary; and
- how you’ll destroy the data securely when the time comes.
I'm closing down my small business. Do I have to let people know I’ll no longer be holding their data?
Yes, if you can. It’s good practice to let people know your business is closing down and you’re not holding their data any longer. This shows people that you value their information even when you no longer need it. It also allows them time to raise any concerns or requests with you.
For some businesses, this will be straightforward and won’t take long. For others, it’s easier said than done. If you’re in this position, it’s a balance between the effort it would take to let them know and, based on the type of information you hold about them, how important it is to contact them.
For example, you might not be able to contact your customers easily because you no longer have access to their information. If the information you hold is sensitive personal data, such as medical information, then there may be more of a necessity to try and contact them than if the information you hold is limited to name and address details. But this should be an exception, rather than a rule, and you’ll need to be confident you can justify your decision.
You can contact us if you’re unsure what to do in your situation.