Data Retention Policy
Under General Data Protection Regulations 2018 (GDPR 2018) it is a requirement to minimise the retention of data and create retention policies for all data types.
The retention policy is a tool used to ensure the retention of business information for as long as it is needed. It is to consider the context within which the company operates, including the legal and regulatory environment and for compliance with the fifth data protection principle and the expectations of stakeholders.
- 5th Data Principle
‘Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.’
The Secretary will assign relevant retention periods across the charity, enabling disposal activity to be carried out in a consistent and controlled manner.
5. Retention Periods
The following table details the retention periods for different information types, but these must be appropriate for each office and should be verified before adoption.
|Document Type||Where stored||Retention Period before destruction||When to be reviewed|
|Accounting records||Electronic copies on password-protected Trustee personal computers, paper copies at registered address.||6 Years||Annually|
|Supporter – PII (Personal Identifiable Information)||Electronic copies on password-protected Trustee personal computers.||3 months from withdrawal of consent||At Trustee Meetings as standing agenda item|
|Financial Supporter – PII (Personal Identifiable Information)||Electronic copies on password-protected Trustee personal computers, paper copies at registered address.||6 years from last transaction||Annually|
The Secretary is the owner of this document and is responsible for ensuring that this procedure is reviewed in line with the review requirements of the GDPR.