Short answer: You may store personal data for as long as it is necessary to fulfill the purpose for which it was collected, and as long as you have a valid legal basis for processing. Once the purpose has been fulfilled or the legal basis is no longer valid, the data must be deleted or anonymized.
Are you in control of your personal data storage?
Secure storage of personal data is part of responsible data processing. Proper storage is essential to comply with data protection regulations such as GDPR and to prevent data breaches and misuse of sensitive information. Implementation of security measures and appropriate work routines help to ensure that personal data is protected. This blog is about how you as a company store personal data in line with privacy regulations.
Did you know that rapid response to data breaches can minimise long-term damages and costs associated with customer churn and lost trust?
- www.ponemon.org
What does GDPR say about data retention?
There are no specific, fixed timeframes in GDPR for how long you can keep personal data. However, the following GDPR principles are aimed squarely at your data retention policies:
1. Time limitation
The principle of storage limitation is stated in the name. It is intended to limit how long companies keep data. It states you should only keep personal data only as long as you need it, for the purposes you disclosed at the time you collected it. After that, it should be deleted or anonymised.
2. Data minimisation
Then, consider the principle of data minimisation. It emphasises the importance of processing as little data as possible for your purposes, at all times. Therefore, to comply with this principle you should periodically review the data you hold, and delete anything you don’t need.
3. Accountability
Meanwhile, accountability means you are responsible for tracking and protecting all the personal data you store, as long as you have it. Documenting, monitoring, and protecting personal data you no longer need is a drain on your time and resources. Basically, keeping unnecessary data around is messy and expensive. Further, it increases your risk and potential liability if something goes wrong.
FAQ about storing sensitive data
Can we store data “just in case”?
No, under the GDPR, you are only allowed to store personal data if there is a specific and legitimate purpose.
What if a customer withdraws their consent?
You must delete the personal data unless there is another valid legal basis for retaining it.
Do we need to document our retention periods?
Yes, it is important to have documented policies for the retention and deletion of personal data.
How long can you keep sensitive data
The appropriate GDPR data retention period can vary based on the nature of the data and why you collected it. So, with the principles we’ve already discussed in mind, ask yourself the following questions:
- Am I still using the data for the purposes I originally disclosed? Why did you collect the data? Are you still using it for that purpose? Once that purpose has been fulfilled, delete the data or anonymise it.
- Do I really need all the information I’ve collected about this person? Identify the minimum amount of personal data you need to fulfil your purpose. You should keep that much information, but no more. Pay special attention to sensitive personal data.
- Did I get consent to use the data? Is the consent still valid? Did you ask for consent to use the data? If processing is based on individual consent, only keep the data as long as the consent is valid. If someone withdraws their consent, delete the data.
- Do I need the data to fulfil a contract? If you process personal data as part of a contract, keep the data for the duration of the contract. Usually, you will also keep it for a reasonable period after the contract ends.
- Am I legally required to keep the data? For example, you may need to keep financial records for a set number of years for tax or other regulatory purposes.
- Has the person asked for me to delete their data? Be ready to delete or anonymise data when someone asks you to. This is called the right to be forgotten, one of GDPR’s 8 data subject rights that you must be ready to honor.
- Is the data safe? Is keeping it increasing my liability? Remember, you are responsible for keeping data safe as long as you keep it. Holding onto data longer than necessary increases the risk of data breaches or misuse.
Here are a few less common reasons to justify keeping personal data:
- Am I using the data for historical, statistical, or research purposes? Data processed for these purposes might have longer retention periods, because it is in the public interest.
- Is keeping the data necessary to protect someone’s life? If so, keeping the personal data may be in the person’s vital interest. These are rare cases, for example, where an individual’s health or physical well-being is at immediate risk.
To begin with, consider all the factors listed above. Choose an appropriate data retention period and explain it in your policies. Then, check up on yourself and your employees regularly to make sure everyone sticks to it.
Need help managing personal data?
In our newsletter you get tips and tricks for dealing with privacy management from our founder Sebastian Allerelli.
When you sign up for our newsletter you get a license for one user to ShareSimple, which will give you a secure email in Outlook. This special offer is for new customers only, with a limit of one freebie per company.
Your local data retention laws
Remember, GDPR provides only the context for making data retention decisions. Individual EU member states can introduce their own specific data retention rules and regulations. Therefore, consider asking a legal professional or looking up rules of data retention in your jurisdiction.
Stop the GDPR monster before it gets its hold of your personal data
Find your files containing personal data
Many organisations do not know exactly how long they retain personal data. When data is stored longer than necessary, the risk of data breaches, misuse and fines increases. Would you like to know how much personal data you store, where it is located, and how long it has been kept?
At Safe Online, we offer a GDPR Risk Assessment that quickly gives you an overview of your data across systems. The assessment shows how old your documents, emails and images are, which of them contain personal information, and where there is a risk that data has been stored longer than necessary. This gives you a clear foundation for deleting, cleaning up and ensuring proper retention in compliance with GDPR.
Learn more
Sebastian Allerelli
Founder & COO at Safe Online
Sebastian is the co-founder and COO of Safe Online, where he focuses on automating processes and developing innovative solutions within data protection and compliance. With a background from Copenhagen Business Academy and experience within identity and access management, he has a keen understanding of GDPR and data security. As a writer on Safe Online's Knowledge Hub, Sebastian shares his expertise through practical advice and in-depth analysis that help companies navigate the complex GDPR landscape. His posts combine technical insight with business understanding and provide concrete solutions for effective compliance.
