How long can you keep personal data under UK GDPR?
The UK’s data protection regime places strict obligations on those who process personal data, to ensure that they do not process that data for longer than necessary. To do so, is a breach of the UK GDPR, which could lead to an investigation by the ICO (our supervisory authority).
If your organisation processes personal data, then careful consideration should be given to exactly what personal data is held by the business, what it does with the data and, of course, the lawful basis for doing so. Given the potentially severe sanctions and reprimands for non-compliance, organisations must be alert to all compliance obligations.
Much time and attention is given to lawfully obtaining data in the first instance, however, once a business has collected personal data fairly and lawfully, the question follows: how long can they keep it?
Answer:
Put simply, there is no fixed time period set out in the UK GDPR. However, while the retention period is not a precise period, this by no means allows for a business to retain personal data indefinitely.
Article 5(1)(e) UK GDPR says:
“Personal data shall be:
…(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;…”
Recital 39 of UK GDPR says:
“…The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum…”
You cannot retain the personal data longer than it is actually needed. Rather than a fixed number of years, how long data can be retained is closely tied to the use and type of data. Any personal data no longer needed should be deleted or anonymised. To that extent, it is critical for each business to assess what data they hold and how long the data is needed for the specified purpose.
To do so, the ICO recommends setting standard retention periods. This is often referred to as a “Data Retention Policy” or “Records Management Policy”.
Do you need a Data Retention Policy?
Recital 39 of UK GDPR says:
“…In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review…”
In short, yes, a business should have a policy in place. It will help the business demonstrate they have measures to meet the compliance obligations.
For example, in an enforcement notice issued by the ICO, they were critical of Clearview AI Inc for its lack of Data Retention Policy, stating “Clearview does not have a data retention policy and hence cannot ensure that personal data is not held for longer than necessary.”
Once in place, the Data Retention Policy will assist the business to regularly review the personal data that is held. The ICO further recommends the policy should be flexible enough to allow for early deletion where data is not actually being used.
This can be a complicated area to navigate, with potentially severe consequences for getting it wrong. If you require assistance in preparing a data retention policy, or reviewing an existing one, please contact a member of the Commercial team who will be happy to assist.