Data Retention Policy

Data Retention Policy

1.       Overview

Under General Data Protection Regulations 2018 (GDPR 2018) it is a requirement to minimise the retention of data and create retention policies for all data types.

2.       Purpose

The retention policy is a tool used to ensure the retention of business information for as long as it is needed. It is to consider the context within which the company operates, including the legal and regulatory environment and for compliance with the fifth data protection principle and the expectations of stakeholders.

  1. 5th Data Principle

‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.’

4.       Scope

The Secretary will assign relevant retention periods across the charity, enabling disposal activity to be carried out in a consistent and controlled manner.

5.       Retention Periods

The following table details the retention periods for different information types, but these must be appropriate for each office and should be verified before adoption.

Document Type Where stored Retention Period before destruction When to be reviewed
Accounting records Electronic copies on password-protected Trustee personal computers, paper copies at registered address. 6 Years Annually
Supporter – PII (Personal Identifiable Information) Electronic copies on password-protected Trustee personal computers. 3 months from withdrawal of consent At  Trustee Meetings as standing agenda item
Financial Supporter – PII (Personal Identifiable Information) Electronic copies on password-protected Trustee personal computers, paper copies at registered address. 6 years from last transaction Annually

6.       Approval

The Secretary is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the GDPR.