Storage limitation is a fundamental principle of the GDPR and any other data protection legislation. For data protection to work properly it is not only important to limit data collection; you also need to get rid of data that you no longer need.
In addition to being a regulatory requirement, having less data also decreases the risk of exposing data of many people and running into bad PR if you experience a data breach. So make sure you only collect the data you need and keep it for as short as makes sense for what you intend to do.
It is also worth noting that you have to include information about how long you process personal data in your privacy notices.
How long can you keep personal data?
Every organisation’s processing activities of personal data look different, so make sure to not just blindly take over a data retention policy you find online. There are several factors you need to take into account when determining how long personal data can be retained by your organisation.
You need to set the retention times before the data collection begins. If you are unable to determine the exact retention time you need to at least set the criteria that will be used to determine them. Setting retention times is not a one-time exercise – you should review them regularly to make sure that they are up to date.
Setting up a data retention policy
There are certain borders within which you have to navigate to be compliant. Broadly speaking, in order to set an appropriate retention policy for each specific purpose, you must ask yourself the following questions:
- Is your organisation under an obligation under national law to keep the records concerned for a specific period of time?
- How long will you need the information to be able to initiate or defend possible future legal claims according to national law? (The statutory limitation periods)
- How long is it necessary for your organisation to retain the personal data to achieve the purposes it is used for? (The broad obligation under the GDPR)
Obligations under national law
Where a legal obligation applies to keep a particular category of records for a specific period of time, you of course need to keep the relevant records for at least the prescribed time period. There are numerous legislative provisions under which you need to retain specific categories of records.
Be aware that this is specific to your national law. So make sure to look into which legislative obligations apply to you. For example, here you can find a list of statutory mandated retention times in the UK.
Statutory limitation periods
The second criterion is the time limits within which a person is entitled to bring proceedings against your organisation. These limitations are contained in the relevant legislative acts. Conducting a risk assessment will help you narrow down the claims and the statutory limitation periods you may be confronted with. So ask yourself, what kind of claims are possible to occur to your organisation?
In many jurisdictions, criminal law proceedings can be initiated up to 10 years after the fact (or sometimes even longer) depending on the jurisdiction and the crime.
In comparison, claims made under civil law such as for personal injuries, breach of contracts or defamation have shorter time limits for commencing proceedings, e.g. for employment cases it depends on the type of claim and is typically between 2 to 5 years after the end of the employment.
Depending on where you are you may also want to add an additional year to the statutory limitation period for your retention times. This is to cover the year during which proceedings which have been issued may be served.
Obligations under the GDPR
Once you are done with the first two steps of the retention times assessment, you should turn to the broad principle contained in the GDPR. Art. 5(1)(e) GDPR prohibits you to keep personal data for longer than is necessary for the purpose(s) for which you obtained it. You are not allowed to store personal data on a “just in case” basis, unless there are objective reasonable grounds for expecting that such information may be required. You should interpret this exception very narrowly and only use it if really needed.
Do not only consider how long you think you need the personal data; also consider what the reasonable expectations are of the affected individuals. This is a factor that you should not neglect when setting retention times.
There are certain circumstances where you may be advised or where it may be even necessary for your organization to retain certain records despite the fact that the applicable retention period has already expired. An example of this is where your organisation is contemplating or also already commenced litigation. Or when your organisation is subject to an investigation or an audit.
However, these are exceptional cases. If possible, stick to the general principle that your organisation needs to destroy personal data records after the determined retention period has expired and it is no longer necessary to keep it for the purpose(s) for which you obtained it.
What to do when the retention time has expired
Once the retention time expires, and you cannot justify why you still hold the personal data, you need to either anonymise or delete the personal data. If you still need to keep the personal data you must also be able to justify why you need to keep personal data in a form that permits identification of individuals. In most cases this will is not applicable, and will have to anonymise or delete the data.
Anonymisation is to be understood in the sense that it is impossible to identify the individual through the data. This often requires aggregating the data to ensure compliance.
Deleting the personal data means that you completely purge the data. You cannot merely archive and restrict access to it.
Make sure that the anonymisation or deletion of the personal data happens in all the systems involved in the data processing – so check with your data processors that the data is also deleted on their side. Before you involve a new data processor you need to check that their retention and backup policies are in line with your own data retention policy. You are responsible for the processors you engage in regards to the processing they carry out on your behalf.