Gone are the days when inventories and properties of companies are regarded as the most important to the business. Now, in this information age, data is considered the most valuable asset of an organisation. The IT Audit experts at GCS Malta discuss what to consider when creating a data retention policy.

Data is collected and stored with every transaction a company enters involving a customer. Organisations are always responsible for ensuring that the data they store is safe and secure, whether it is storing a hard copy of data or digitally storing it. Since the General Data Protection Regulation (GDPR) implementation, it is now even more critical for organisations to safeguard their data, be it customer or employee data. Given this change, organisations should develop a data retention policy aligned with the GDPR or any legal requirement they are subject to.

4 Factors to consider when creating an audit data retention policy:

When creating an audit data retention policy, the following should be considered:

  1. The purpose of collecting data

The purpose of collecting data. Organisations should only collect data based on the need of the company, not for the sake of collecting data in case it will be needed in the future. This will also be the documented proof that justifies the purpose of collecting data.

  1. The extent of processing the collected data

Customers or clients should also be informed of the extent to which their data will be used. Data should be processed only for the purpose it is collected for.

  1. The period of how long the data will be kept

Data should be kept and stored for the shortest time possible, considering the purpose of processing the data and any regulatory requirements.

  1. The disposal of data when it is no longer needed

The organisation should establish time limits to erase or review its data. Personal data may be kept for a more extended period, provided that appropriate measures are in place, like data anonymisation.

Organisations will need effective compliance mechanisms to ensure compliance with the data retention requirements. Complying with these requirements will also discourage organisations from storing the data long-term.

Why GCS Malta?

At GCS Malta, our team of professional auditors can assist you with data retention and several other services: from ad-hoc investigations to due diligence reviews. Contact us today for more information

Article by Ericka Roxas