Data retention, also called records retention, is the continued storage of an organisation's data for compliance or business reasons. The General Data Protection Regulation (GDPR) does not specify time limits for retention. However, the general principle is that data should only be kept for as long as it is needed. This is reflected in Article 5(1)(e) GDPR, also known as the storage limitation principle. This principle provides that even if personal data is collected fairly and lawfully, it cannot be kept longer than required to fulfil the purposes for which it was collected. Personal data may be kept for longer periods where it is archived in the public interest or for scientific or historical research, provided the data is appropriately anonymised or encrypted. Therefore, the onus is on the organisation to understand what data it holds, why it holds it, and where it no longer has an appropriate use for the data, whether it should be erased or anonymised.
Can an organisation keep data just in case?
Some organisations decide to retain data it no longer needs just in case it might be needed in the future. This is not a sufficient justification to retain data under GDPR. Adopting an approach of retaining data just in case leads to a risk that data will become irrelevant, excessive, inaccurate, or out of date. In turn, this increases the danger that such data will be used erroneously to the detriment of the data subject’s rights and the organisation’s reputation. Organisations also need to consider the costs associated with retaining unnecessary data, including storage and security expenses. Further, retaining unnecessary data may make an organisation’s daily operations more difficult. For example, organisations that frequently receive subject access requests will have a difficult task satisfying that request within the time limits where they must sift through large quantities of unnecessary data.
Data Retention Policies and Procedures
Putting in place retention policies and procedures can enable organisations to only retain data necessary for the purposes for which it is collected. Retention policies state what type of information is held by the organisation, what it is used for, and how long it should be retained. These policies establish standard retention periods for different categories of data the organisation holds and is extremely beneficial in maintaining GDPR compliance. In deciding on retention periods, organisations should consider any legal obligations imposed on them for retention, limitation periods for claims, organisational needs, and the quality of the data held. Any decision on retention periods should be proportionate. This means retention periods should appropriately balance the organisation’s needs against the impact of retention on individuals concerned.
Retention procedures ensure that data is destroyed appropriately and securely per the retention policies. This could be done in different ways depending on the organisation. A good example would be introducing an automated system which flags records for review or deletion after a set time limit. Retention policies could also include procedures for data sharing between two organisations including what happens when the data is no longer needed. This could contain procedures for the recipient returning all shared data to the supplier without keeping any copies. It could also include all organisations involved deleting any copies of any data shared between them where it is no longer needed.
Given some of the other drastic breaches of GDPR which could be committed by organisations, some might think cracking down on retention periods would be at the bottom of the list. However, this is far from reality. In 2019, a German real estate company was fined €14.5 million for retaining data regarding tenants that was no longer required and had no legal basis for being retained. Organisations need to take a proactive approach to understand what data is held, why, and whether it should still be held. Data retention principles must be prioritised across all organisations, not just those who process data on a large scale. Organisations need to meaningfully engage in reviewing the data they hold and shake off the attitude of keeping data “just in case”.
With PrivacyEngine, your organisation can get instant access to retention schedules for over 140 countries with over 100,000 periods defined. Not sure how long you can hold onto data for? PrivacyEngine instantly provides information on retention periods with one click of a button!
Learn how your organisation can comply with data retention requirements across multiple jurisdictions and critical business functions and also save time and money, by booking a meeting with a member of the PrivacyEngine team and discuss how our Data Retention Software is a match for you.
We’ve got more coming…
Want to hear from us when we add new articles? Sign up for our newsletter and we'll email you every time we release a new article, as well as other resources.