How long are you allowed to keep data under the GDPR? This is one of the questions that we get asked most by our clients on our legal helpline at Markel Law. 

The answer

The GDPR does not provide fixed timescales for data retention. However, one of the core principles is that data must only be processed (which includes storing it) for as long as is necessary.

In making that judgement call you should consider your reasons for processing the data, and any legal obligations that you have in keeping that data for a fixed period. 

If you do not need the data any longer, you should delete or anonymise the data. This also ties in with the requirement to have processes in place to be able to comply with an individual's right to be forgotten.  

There is an exemption for keeping personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes. If you want to rely on this exemption, you must have appropriate safeguards in place to protect individuals, for example consider pseudonymisation (key coding) or encryption of the personal data.

Create and maintain a retention policy

The Information Commissioner's Office also suggests that it's good practice to create and maintain a policy to explain your standard retention periods, wherever possible. 

In drafting a retention policy for your small business, I'd suggest that you consider the following headings:

  • Introduction; 
  • Aims of the policy;
  • Internal responsibility for enforcing the policy and keeping it updated;
  • Disposal methods of the data when no longer required;
  • Lastly, and likely the most important part of the policy, is to create and complete a table with the following information: 

Type of record

Retention period 

Where is it stored?

Reason or justification 

Method of deletion

In conclusion, keep in mind that you must provide individuals with certain information (called "privacy information"), at the time that you collect their personal data from them. This includes: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with.  

Further details on "privacy information", can be found on the ICO website.

At Markel Law we regularly comment on SME related matters. Follow this link to find out more about Markel Law and how we can assist your business.

If you would like more information on our Law Hub for SME's, follow this link.