Organisations in the professional services sector – such as law firms, financial advisers, accountancy practices or healthcare providers – gather, process and store vast amounts of highly sensitive data.

Much of that data is subject to a variety of regulatory requirements that, in many cases, extend across borders, adding a further layer of complexity. For many organisations, it might seem that the easiest route to compliance is to treat all data the same way: apply a single blanket policy, set a standard deletion timeline and move on.

However, this creates two distinct problems in practice:

  1. It can drive up storage costs by unnecessarily retaining data beyond any legitimate purpose.
  2. You risk losing track of data that needs to be stored beyond the blanket policy/indefinitely.

Neither outcome is defensible to a regulator. Fortunately, a structured, documented approach to data retention is achievable for organisations of any size. It starts with understanding what data you hold and why.

 

Statutory data retention periods are the floor, not the ceiling

Where legislation prescribes a defined retention period for a particular category of data, that period is obviously the minimum you must adhere to. However, it doesn’t necessarily have to be your maximum.

Your organisation might have legitimate operational reasons to hold data for longer – although those reasons must be documented and kept under active review.

This is an important discipline. Operational use of data changes over time and a retention period that’s justifiable today might not be justifiable in three years. By recording the rationale and building in a review mechanism, you can create the flexibility to adjust your approach as circumstances change, rather than defaulting to indefinite retention because no one got round to reviewing it.

How much longer data is held beyond the statutory minimum is ultimately an operational decision, which should be informed by the purpose for which the data was originally collected and your organisation’s continuing use of it to achieve that purpose. Vague justifications like “we might need it one day” won’t satisfy the regulators – or your own data governance team.

 

Recording your organisation’s data processing activities

Before your organisation can make sensible decisions about data retention, it needs to know what data it actually holds. That is where well-maintained ROPAs (records of processing activities) become indispensable.

Under both the UK and EU GDPR (General Data Protection Regulation), most organisations are required to maintain such a record.

However, beyond mere compliance, ROPAs are a genuinely useful management tool. They tell you what personal data you process, the purpose of and lawful basis for that processing, who has access to the data, where it’s stored and whether it’s shared with third parties or transferred internationally.

This information should directly inform retention decisions. If you can’t articulate the purpose for which data was collected, you can’t determine how long you can reasonably keep it. ROPAs are particularly critical in areas where there is no statutory retention period to fall back on – which, in practice, covers a wide range of business records.

 

Building a data retention schedule

Once you have clear ROPAs in place, the next step is to create a data retention schedule. This should list every category of data record your organisation holds, alongside:

  • What the records are used for;
  • The retention period that applies;
  • The reason for that retention period (whether statutory, regulatory, contractual or operational); and
  • How the records will be disposed of securely when the time comes.

It’s also worth building in a review step before secure disposal. If there’s a justifiable reason to continue holding the data beyond the retention period, that decision needs to be recorded in the schedule – not simply acted upon informally. This creates an auditable trail that demonstrates your organisation is actively managing its data, rather than just passively accumulating it.

The schedule shouldn’t be a one-off exercise, either. It needs to be reviewed regularly and updated whenever new data types are introduced or existing processing activities change.

 

Managing data retention when your tools fall short

One challenge that comes up repeatedly across professional services firms is that the software they rely on might not support data retention the way they need it to. Functionality might be absent, limited or simply not configurable to match your organisation’s data retention obligations.

Where this is the case, you face a risk-based decision. If a tool doesn’t support data retention natively, there are workarounds – for example, maintaining a retention schedule in a spreadsheet and manually deleting records when periods expire. These approaches require discipline and resourcing, but they can be effective.

The broader question for any organisation in this position is: what is your data protection compliance risk appetite?

Clearly defining this allows you to assess how comfortable you are operating with non-compliant or partially compliant tools, and to identify the mitigations you need to put in place to reduce your exposure.

There’s also an ethical dimension that’s worth reflecting on. Personal data relates to real people and the way any organisation manages – or fails to manage – that data has real consequences for the individuals concerned. Ethical practice may require going further than compliance obligations.

 

Being in a strong position to respond to regulatory scrutiny

The key to sound data retention practice can be summarised simply:

  1. Know what data you have;
  2. Know why you have it; and
  3. Actively delete what you no longer need.

Organisations that can demonstrate all three are in a strong position if they face regulatory scrutiny. Those that can’t will find it difficult to mount a credible defence, even if their practices are broadly reasonable.

Where to start

If your organisation is building its data retention framework from scratch – or reviewing one that has grown organically and may have gaps – the priority is to get the foundations in place.

For smaller organisations, our GDPR Toolkit includes ready-to-use templates for all three: a Record of Processing Activity, a Data Retention Policy and a Data Retention Procedure. These provide a structured starting point that can be adapted to your organisation’s specific circumstances, sectoral obligations and risk profile.

Learn more about the GDPR Toolkit

 

For organisations with more complex needs, such as multiple jurisdictions, layered regulatory obligations or significant volumes of sensitive data, a tailored approach is likely to be more appropriate. Our GDPR and Data Privacy Consultancy Services provide expert support in mapping your data flows, building your ROPAs, establishing defensible retention periods and putting the governance structures in place to keep your compliance posture current.

 

Learn more about our GDPR and Data Privacy Consultancy Services

 

About the author

Louise Brooks is the head of privacy consultancy at GRC Solutions. She started her career in law, became the first compliance officer for Worldwide Fund for Nature, and joined the RSPCA as its head of data protection.

Now, she advises organisations on data protection laws, helping them fulfil their privacy obligations while continuing to meet their business objectives.