The EU General Data Protection Regulation (GDPR), which came into force on 25 May 2018, brings in stricter requirements regarding how long personal data may be retained. Organisations will need to be more considered and disciplined in their retention of individuals personal data. This quick guide is designed to help understand retention principles.
What does the GDPR say about retaining personal data?
The emphasis under the GDPR is data minimisation, both in terms of the volume of data stored on individuals and how long it’s retained.
To summarise the legal requirements, Article 5 (e) of the GDPR states personal data shall be kept for no longer than is necessary for the purposes for which it is being processed. There are some circumstances where personal data may be stored for longer periods (e.g. archiving purposes in the public interest, scientific or historical research purposes).
Recital 39 of the GDPR states that the period for which the personal data is stored should be limited to a strict minimum and that time limits should be established by the data controller for deletion of the records (referred to as erasure in the GDPR) or for a periodic review.
Organisations must therefore ensure personal data is securely disposed of when no longer needed. This will reduce the risk that it will become inaccurate, out of date or irrelevant.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.