Data Retention Under the GDPR – A Brief Study on Challenges Posed to Organisations

  • Conference: 12th TCD Law Student Colloquium at School of Law, Trinity College Dublin, Ireland

Societies are becoming increasingly dependent on digital information technologies, and technological developments are radically changing how personal data is collected, processed and stored by private organisations. To help protecting one’s privacy, individuals now have a set of privacy rights, namely, the ‘right to erasure’.

The GDPR principle of storage limitation, expressed in Article 5(1)(e) GDPR and, likewise, in Article 5(4)(e) of Modernised Convention 108, determines that data must be erased (or anonymised) when their purposes have been served and as such, organisations must create the necessary organisational and technological measures to allow a periodical review of personal data. Article 5(1)(e) GDPR states that data should be held for “no longer than is necessary”. Conceptually, by not providing an exact data retention timescale, the GDPR risks creating uncertainty around one crucial business operational question:-“how long can one organisation legitimately retain personal data for”? The author intends to answer this question by resorting to contemporary authoritative case law, and offer an avenue to the resolution of this important issue for legal practice and organisations, via the adoption of a methodical, holistic and pragmatic approach to GDPR. The author will also look at some consequences of organisations’ inadequate data storage management practices-with negative implications for the rights and freedoms of individuals-by establishing a link to the rise of personal data fraud, as well as the rise of criminal cyber-attacks on businesses, which continue to grow. A novel approach to the legal issue is proposed by the author: the implementation of a “pro-active” personal data retention programme (PDRP), to be conducted under the GDPR’s principles of ‘security’, ‘data minimisation’, ‘storage limitation’ and ‘time limitation’, and anchored on strong organisational policies, including standard retention periods.

Access full paper here.