How long can you keep personal data under UK GDPR?
The UK’s data protection regime places strict obligations on those who process personal data, to ensure that they do not process that data for longer than necessary.
If your organisation processes personal data, then careful consideration should be given to exactly what personal data is held by the business, what it does with the data and, of course, the lawful basis for doing so. Given the potentially severe sanctions and reprimands for non-compliance, organisations must be alert to all compliance obligations.
Much time and attention is given to lawfully obtaining data in the first instance. However, once a business has collected personal data fairly and lawfully, there are significant questions that follow.
Is there a maximum time you can keep personal data under UK GDPR?
Put simply, there is no fixed time period set out in the UK GDPR. However, while the retention period is not a precise period, this by no means allows for a business to retain personal data indefinitely.
Article 5(1)(e) UK GDPR says:
“Personal data shall be:
…(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;…”
Recital 39 of UK GDPR says:
“…The personal data should be adequate, relevant and limited to what is necessary for the purposes for which they are processed. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum…”
You cannot retain the personal data longer than it is actually needed. Rather than a fixed number of years, how long data can be retained is closely tied to the use and type of data. Any personal data no longer needed should be deleted or anonymised. To that extent, it is critical for each business to assess what data they hold and how long the data is needed for the specified purpose.
To do so, the ICO recommends setting standard retention periods. This is often referred to as a “Data Retention Policy” or “Records Management Policy”.
Do you legally need a Data Retention Policy?
Recital 39 of UK GDPR says:
“…In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review…”
In short, yes, a business should have a policy in place. It will help the business demonstrate they have measures to meet the compliance obligations.
For example, in an enforcement notice issued by the ICO, they were critical of Clearview AI Inc for its lack of Data Retention Policy, stating “Clearview does not have a data retention policy and hence cannot ensure that personal data is not held for longer than necessary.”
Once in place, the Data Retention Policy will assist the business to regularly review the personal data that is held. The ICO further recommends the policy should be flexible enough to allow for early deletion where data is not actually being used.
How long can a company keep data about you?
Just as you cannot keep personal data for longer than is actually needed, other companies must follow the same procedures. There is no universal maximum period under UK GDPR, but this does not mean that a company has an open-ended right to keep your personal data.
The ICO’s position is clear: organisations must think about, and be able to justify, how long they need to keep personal data. Once the data is no longer required for the relevant purpose, it should be erased or anonymised, if not, it could lead to severe sanctions and reprimands for non-compliance.
What happens if you keep personal data for too long?
Keeping personal data for longer than necessary would result in a breach of the UK GDPR, which could lead to an investigation by the ICO (our supervisory authority). It may also call into question whether the organisation is complying with the wider accountability obligations under UK GDPR, because controllers must be able to demonstrate compliance with the data protection principles.
The risks are not merely administrative. If an organisation cannot justify the continued retention of personal data, it may face complaints from individuals and regulatory scrutiny from the ICO. The ICO has a range of enforcement powers available to it, including warnings, reprimands, enforcement notices and penalty notices. For serious breaches of the data protection principles, the ICO can issue fines of up to £17.5 million or 4% of annual worldwide turnover, whichever is higher.
Need help?
This can be a complicated area to navigate, with potentially severe consequences for getting it wrong. If you wish to learn more about data protection, you can read it about it in more detail on our website.
If you require assistance in preparing a data retention policy, or reviewing an existing one, please contact a member of the Commercial team who will be happy to assist.