General Data Protection Regulation (GDPR)

Accountability under the GDPR


Businesses subject to the General Data Protection Regulation (GDPR) are accountable for their handling of people's personal information.

The accountability principle requires them to be able to demonstrate, and often document the manner in which they comply with data protection law. See more on data protection principles under the GDPR.

If you process personal data as part of your business, it is important that you consider carefully and document all decision making in respect of your processing.

What documentation do I need under the GDPR?

For example, you may have to:

  • analyse your existing data protection processes for gaps against the new GDPR requirements - see GDPR data audit checklist
  • review and update your internal policies and procedures to ensure they are fit for purpose, including your:
    • data protection policy
    • privacy notice - see privacy notices under the GDPR
    • staff training policy
    • information security policy
    • data protection impact assessment procedure
    • retention of records procedure
    • subject access request form and procedure
    • privacy procedure and notice
    • international data transfer procedure
    • data portability procedure
    • complaints procedure
  • carry out data protection impact assessment
  • keep relevant documents on how and why you process data
  • design new products or services with data protection compliance in mind
  • in certain circumstances, appoint a data protection officer
  • review and revise the way you capture, record and maintain consent - see consent under the GDPR

In practice, achieving GDPR compliance and transparency will involve revising, and possibly amending, your data protection wording across your internal and external policies, websites, online application forms, supplier agreements, call centre scripts, application forms, employment contracts, proposal documents, renewal notices, annual account statements and possibly many other parts of your business.

Find out more on accountability and governance under the GDPR and specifically about documentation requirements.

How long can I keep an individual personal data?

The General Data Protection Regulation brings in stricter requirements around the retention of personal data. It explicitly states that you must keep personal data 'no longer than is necessary for the purposes for which the personal data is processed'. It doesn't, however, specify how long is 'longer than necessary'.

Statutory retention periods may apply to some type of data records - for example, you must keep P60s and P45s for at least six years - but for most other records, you can exercise your discretion.

The GDPR puts emphasis on data minimisation, both of the volume of data stored and how long you retain it. You should therefore keep the data:

  • for the least amount of time that you can
  • in accordance with the requirements of your business
  • stored securely while it is in your possession
  • until it reaches the appointed deletion time

Remember, the GDPR requires businesses and organisations to demonstrate, for each category of personal data, why they keep it and the reasons behind the length of retention. Make sure that your retention policy is considered, proportional to your needs, and properly adhered to.

You can use our GDPR compliance checklist to work through the steps involved in complying with the new regulation.

This guide aims to help you understand GDPR and your obligations under the law, but it does not constitute legal advice. For definitive legal guidance, see the ICO's guide on GDPR or consider getting independent legal advice.