How long are you allowed to keep data under the GDPR? This is one of the questions that we get asked most by our clients on our legal helpline at Markel Law.
The GDPR does not provide fixed timescales for data retention. However, one of the core principles is that data must only be processed (which includes storing it) for as long as is necessary.
In making that judgement call you should consider your reasons for processing the data, and any legal obligations that you have in keeping that data for a fixed period.
If you do not need the data any longer, you should delete or anonymise the data. This also ties in with the requirement to have processes in place to be able to comply with an individual's right to be forgotten.
There is an exemption for keeping personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes. If you want to rely on this exemption, you must have appropriate safeguards in place to protect individuals, for example consider pseudonymisation (key coding) or encryption of the personal data.
Create and maintain a retention policy
The Information Commissioner's Office also suggests that it's good practice to create and maintain a policy to explain your standard retention periods, wherever possible.
In drafting a retention policy for your small business, I'd suggest that you consider the following headings:
- Aims of the policy;
- Internal responsibility for enforcing the policy and keeping it updated;
- Disposal methods of the data when no longer required;
- Lastly, and likely the most important part of the policy, is to create and complete a table with the following information:
Type of record
Where is it stored?
Reason or justification
Method of deletion
In conclusion, keep in mind that you must provide individuals with certain information (called "privacy information"), at the time that you collect their personal data from them. This includes: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with.
Further details on "privacy information", can be found on the ICO website.
If you would like more information on our Law Hub for SME's, follow this link.
You must store data for the shortest time possible. That period should take into account the reasons why your company/organisation needs to process the data, as well as any legal obligations to keep the data for a fixed period of time (for example national labour, tax or anti-fraud laws requiring you to keep personal data about your employees for a defined period, product warranty duration, etc.).