Data retention under GDPR

Both the EU General Data Protection Regulation (GDPR) and the UK’s Data Protection Act 2018 brought in stricter requirements regarding how long personal data may be retained. Organisations have now a duty to be more considered and disciplined in their retention of individuals’ personal data.
The contemporary data protection law emphasis on “data minimisation” (both on volume of data stored on individuals and for how long such data can be retained).


Article 5 (e) of the GDPR brings together the legal principles relating to data retention by stating that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed.
Article 5 (e) of the GDPR also identifies the circumstances when personal data may be retained for longer than necessary for the purposes for which it is being processed: “personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’).”
Recital 156 GDPR decodes “archiving purposes in the public interest, scientific or historical research purposes or statistical purposes” in the following manner:

• The processing (…) should be subject to appropriate safeguards for the rights and freedoms of the data subject pursuant to this Regulation.
• The further processing of personal data (…) is to be carried out when the controller has assessed the feasibility to fulfil those purposes by processing data which do not permit or no longer permit the identification of data subjects, provided that appropriate safeguards exist (such as, for instance, pseudonymisation of the data).

Recital 156 GDPR decodes “Processing for statistical purposes” in the following manner:
• Statistical purposes mean any operation of collection and the processing of personal data necessary for statistical surveys or the production of statistical results.
• Those statistical results may further be used for different purposes, including a scientific research purpose.
• The statistical purpose implies that the result of processing for statistical purposes is not personal data, but aggregate data, and that this result ‘on the personal data are not used in support of measures or decisions regarding any particular natural person’.

In addition, Recital 39 GDPR decodes, in a clear and concise manner, the limits imposed by Article 5 GDPR (personal data shall be kept for no longer than is necessary for the purposes for which it is being processed), by stating that “the period for which the personal data is stored should be limited to a strict minimum and that time limits should be established by the data controller for deletion of the records (referred to as erasure in the GDPR) or for a periodic review.”

This means that organisations must ensure personal data is securely disposed of when no longer needed, which will also reduce the risk that it will become inaccurate, out of date or irrelevant.
It is the clear intention of the legislator to make sure that organisations’ retention policies ensure that they meet the ‘data minimisation’ and ‘storage limitation’ principles and that personal information is stored, archived and destroyed compliantly and ethically. This view is reinforced by ICO guidance on “Storage limitation”.

The GDPR does not set specific time limits for different types of data, but it makes organisations responsible for determining on how long they need the data for their specified purposes, taking in consideration the following factors:

• Personal data held for too long will, by definition, be unnecessary.
• Organisations are unlikely to have a lawful basis for retention.
• From a more practical perspective, it is inefficient to hold more personal data than an organisation needs, and there may be unnecessary costs associated with storage and security.
• Organisations must also respond to subject access requests for any personal data they hold. This may be more difficult if they are holding old data for longer than they need.
• Good practice around storage limitation – with clear policies on retention periods and erasure – is also likely to reduce the burden of dealing with queries about retention and individual requests for erasure.
The ICO offers guidance on how organisations should set retention periods, based on their purposes for processing, reminding us, however, that organisations must also be able to justify why they need to keep personal data in a form that permits identification of individuals.

Example:
“A bank holds personal data about its customers. This includes details of each customer’s address, date of birth and mother’s maiden name. The bank uses this information as part of its security procedures. It is appropriate for the bank to retain this data for as long as the customer has an account with the bank. Even after the account has been closed, the bank may need to continue holding some of this information for legal or operational reasons for a further set time.”

Another important insight offered by the ICO is the one regarding how long can organisations keep personal data for archiving, research or statistical purposes.

“Although the general rule is that you cannot hold personal data indefinitely ‘just in case’ it might be useful in future, there is an inbuilt exception if you are keeping it for these archiving, research or statistical purposes.”
“This must be your only purpose. If you justify indefinite retention on this basis, you cannot later use that data for another purpose – in particular for any decisions affecting particular individuals.”

As we can see by the above example, the approach adopted was to keep the data for a “further set of time”, as personal data retention must be, by force of the law, time-limited. Organisations must thus take a proportionate approach, balancing their needs with the impact of retention on individuals’ privacy. Retention of the data must also always be fair and lawful.