To stay within the law it’s crucial that we only collect the data that is necessary for our purposes, and that we only keep it for as long as we need it.

The requirements – that we limit processing strictly to our identified purposes and minimise the data we hold wherever possible – are part of a sea change in data protection practices (and we’re glad to be on board!).   ‘Data lakes’ (i.e. ‘keep it in case it is useful one day’) are a thing of the past!

<a href="">Designed by vectorpocket / Freepik</a>Here are some examples of Process Purposes:

  • Providing a service to a client
  • Human resource administration
  • Administration of client accounts
  • Payroll
  • Marketing
  • Research & Development
  • Preparing for/against legal claims
  • Demonstrating our compliance with legal obligations
  • Corresponding with people

The organisation should never step outside the process purposes it discloses to Data Subjects in Privacy Notices or Consent Forms – your department already has measures in place to ensure this doesn’t happen, but if you are unsure: ask a manager or other responsible person before conducting any new type of processing.


Your responsibilities

You have a responsibility to ensure you do not use data for any purposes other than those defined in our established processes and procedures.  If you become aware of anyone else doing this, you have a duty to report this to someone within the organisation who has data protection responsiblities.

We also ask that you help us minimise the data that the organisation: so if you are aware of any personal data that is is being kept longer than our Retention Policy provides for: please let us know so we can take action!

We also require that you read and comply with our policies as they relate to data protection.  There are quite a few of them (sorry about that), but we’ve done our best to keep them relevant and easy to understand (feedback always welcome!).


Minimisation means we have systems and processes in place to reduce the data we hold to only what is current and relevant.  So we have a specific retention period for each category of personal data and we know how long we expect to retain data for (and why).

Usually this is calculated by taking account of the following:

  • Duration of an engagement, such as a contract with a client or worker
  • Appropriate lengths of time before an account is considered lapsed
  • How long we need to keep the data for HMRC and other financial reporting obligations
  • Whether we need the data to protect ourselves from litigation