How long can you keep personal data?

There are no specific, fixed timeframes in GDPR for how long you can keep personal data. However, the following GDPR principles are aimed squarely at your data retention policies:

• Storage limitation
• Data minimisation
• Accountability

The principle of storage limitation is stated in the name. It is intended to limit how long companies keep data. It states you should only keep personal data only as long as you need it, for the purposes you disclosed at the time you collected it. After that, it should be deleted or anonymised.

Then, consider the principle of data minimisation. It emphasises the importance of processing as little data as possible for your purposes, at all times. Therefore, to comply with this principle you should periodically review the data you hold, and delete anything you don’t need. 

Meanwhile, accountability means you are responsible for tracking and protecting all the personal data you store, as long as you have it. Documenting, monitoring, and protecting personal data you no longer need is a drain on your time and resources. Basically, keeping unnecessary data around is messy and expensive. Further, it increases your risk and potential liability if something goes wrong.

The appropriate GDPR data retention period can vary based on the nature of the data and why you collected it. So, with the principles we’ve already discussed in mind, ask yourself the following questions:

• Am I still using the data for the purposes I originally disclosed? Why did you collect the data? Are you still using it for that purpose? Once that purpose has been fulfilled, delete the data or anonymise it.
• Do I really need all the information I’ve collected about this person? Identify the minimum amount of personal data you need to fulfil your purpose. You should keep that much information, but no more. Pay special attention to sensitive personal data.
• Did I get consent to use the data? Is the consent still valid? Did you ask for consent to use the data? If processing is based on individual consent, only keep the data as long as the consent is valid. If someone withdraws their consent, delete the data.
• Do I need the data to fulfil a contract? If you process personal data as part of a contract, keep the data for the duration of the contract. Usually, you will also keep it for a reasonable period after the contract ends.
• Am I legally required to keep the data? For example, you may need to keep financial records for a set number of years for tax or other regulatory purposes.
• Has the person asked for me to delete their data? Be ready to delete or anonymise data when someone asks you to. This is called the right to be forgotten, one of GDPR’s 8 data subject rights that you must be ready to honor.
• Is the data safe? Is keeping it increasing my liability? Remember, you are responsible for keeping data safe as long as you keep it. Holding onto data longer than necessary increases the risk of data breaches or misuse.

Here are a few less common reasons to justify keeping personal data:

• Am I using the data for historical, statistical, or research purposes? Data processed for these purposes might have longer retention periods, because it is in the public interest.
• Is keeping the data necessary to protect someone’s life?  If so, keeping the personal data may be in the person’s vital interest. These are rare cases, for example, where an individual’s health or physical well-being is at immediate risk.

To begin with, consider all the factors listed above. Choose an appropriate data retention period and explain it in your policies. Then, check up on yourself and your employees regularly to make sure everyone sticks to it.

Remember, GDPR provides only the context for making data retention decisions. Individual EU member states can introduce their own specific data retention rules and regulations. Therefore, consider asking a legal professional or looking up rules of data retention in your jurisdiction.

Indeed, many companies do not know how long they keep personal data. But keeping data too long, after you no longer need it, can put you at risk for data breaches and fines. So, would you like to find out how much personal data you store, where you store it, and how long you’ve had it?

At Safe Online, we have developed DataMapper to let you quickly make an inventory of a company’s data. With DataMapper you get statistics on how old your files, emails and pictures are, making it easy for you to focus on data you may have kept for too long.