The GDPR regulations do not set out the minimum or maximum periods for storing data. Each organisation has to determine the purpose of storing information and from there, determine how long they need the data for. After time it is likely that benchmark periods per industry and data category will eventually be established
The GDPR regulations state that “personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes”. This means that organisations will have to review the data which they are keeping and determine how long to keep data depending on what the purpose of storing it is. Personal data will need to be retained for different periods of time depending on its purpose. How long different categories of personal data are stored should be based on each business’s needs
The GDPR regulations put the onus on the individual organisation to determine the storage times. The overriding message is that personal data must be kept for as short a period as is necessary for storing it. This reduces the data privacy overheads for an organisation and reduces their liability in case of a data breech
The appropriate retention period is to depend on what the data is used for. However the following factors are also relevant:
– what is the value of the data to the organisation now and in the future?
– what are the risks and liabilities associated with retaining the information?
– how easy is it to ensure the data remains accurate and up to date?
The GDPR regulations state that “Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.”
So while there is a valid reason to hold a person’s personal data, it is acceptable for an organisation to keep the data. However, when that purpose no longer exists, then the data cannot be held ‘just in case’ a need arises
- A company manufactures parts for car parts. The company must know which customers have bought their parts in case safety issues arise with the parts, and a recall is necessary. In this case, car manufacturers may need to recall their parts for up to twenty years (the maximum duration a normal road vehicle is used for). Therefore, the details of the sales of these parts can be stored for up to this period
- A company stores CCTV footage of the inside of their premises for the purposes of recording any accidents or criminal incidents. In this case, health and safety accidents are normally reported within in a few days and criminal incidents are often reported within a few weeks. It is therefore acceptable for the company to delete this information after one month