Retention of Records Policy

1 Scope

All We Dig Media’s records, whether analogue or digital, are subject to the retention requirements of this procedure. We aim to collect the absolute minimum data required to perform our work.

2 Responsibilities

The Directors are the asset owners. Asset owners are responsible for ensuring that all personal data is collected, retained and destroyed in line with the requirements of the GDPR.

The Directors are responsible for retaining:

2.1 The following roles are responsible for retention of these records because they are asset owners

2.2 Asset owners are responsible for ensuring that all personal data is collected, retained and destroyed in line with the requirements of the GDPR

2.3 The Directors are responsible for retaining:

2.3.1. Accounting and tax related information

2.3.1. All personal records pertaining to staff

2.3.1. All statutory and regulatory information for compliance

2.3.1. All data from clients

2.3.1. Retained records included in business continuity and disaster recovery plans

3 Procedure
3.1 The required retention records by record type are recorded under the following categories

3.1.1 Emails containing personal data will be destroyed once their purpose has been achieved eg sending an e-newsletter will require us to update mailing lists, any data sent via email will be destroyed once the database is updated, files from a Data Controller may be downloaded onto a work PC in order to add to a MailChimp database

3.1.2 Retention period in this scenario is short, all personal data will be deleted from both email and from work PC as soon as the task is complete

3.1.3 The sort of data expected in this scenario will be name and email address – we would not anticipate receiving any further information from the data controller

3.1.4 We retain no hard copies of this data

3.1.5 Longer term where that information is updated to Mailchimp for e-newsletter purposes we guarantee with the Data Controller all information gathered has explicit consent for the purposes of receiving emails

3.2.1 Information gathered via Google Analytics and Mailchimp capture services will be shared only with the Data Controller

3.2.2 Explicit consent is sought through our websites’ privacy and cookies policies to capture data, including IP addresses, location and habits on the website

3.2.3 The sort of data we would collect is IP addresses, location and habits on the website, we retain this information to inform our clients/Data Controllers how to improve the functioning of their website and how to improve the end user experience – this information is retained in a secure Google Analytics account. We manage the risk by ensuring the information is depersonalised as possible. Google themselves are actively working towards compliance with new regulations. (More on Google’s work to become compliant with the GDPR)

3.2.4 We share generic reports with the Data Controller only which include data on numbers looking at a page, opening a newsletter and other data relevant only in improving the website experience for the end user. No personal data is shared in any way eg

3.2.5 We utilise MailChimp to send e-newsletters because they are working towards compliance with the GDPR and are compliant with current data protection law with the EU. (More on MailChimp’s work to become compliant with the GDPR)

3.3.1 Email addresses and other personal information collected through websites

3.3.2 All our websites with contact forms have SSL certificates

3.3.3 All information collected through the websites is done with implicit consent and with clear instruction of the purpose

3.3.4 In most cases this information is not retained on the website, the system emails the information directly to the Data Controller

3.3.5 In the instances where we retain information on behalf of the Data Controller it is retained soley on their website in an encrypted format which is protected. This is purely for back up purposes and available on request by the Data Controller

This policy was approved by the Board of Directors on 23/03/2018 and is issued on a version controlled basis under the signature of the Directors.