Get Free Downloads
Start your GDPR today in just a few clicks
      
Get Free Downloads
Start your GDPR today in just a few clicks

How Long Can You Store Info?

Tagged with GDPR HELP, GDPR ADVICE, GDPR
by Adam Brogden
in Blog

24-Sep-2019 12:06

I have this debate every day. How long can you store information on data subjects? The problem is there is no hard and fast rule. The GDPR Article 5(1)(e) says:

“1. Personal data shall be: (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”

Take a look at this info from the ICO:

__________________________________________________________________________________________________________________________________________________

You shouldn't keep data for longer than you need it, even if it collected and processed fairly and lawfully. The GDPR principle says that you can keep anonymised data for as long as you want. In other words, you can either delete or anonymise the personal data once you no longer need it. Instead of an exemption for research purposes, the GDPR principle specifically says that you can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes (and you have appropriate safeguards).

New documentation provisions mean that you must now have a policy setting standard retention periods where possible.

There are also clear links to the new right to erasure (right to be forgotten). In practice, this means you must now review whether you still need to keep personal data if an individual asks you to delete it.

  • You must not keep personal data for longer than you need it.

  • You need to think about, and be able to justify, how long you keep personal data. This will depend on your purposes for holding the data.

  • You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.

  • You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.

  • You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.

  • You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.

__________________________________________________________________________________________________________________________________________________

The key to this is that GDPR does not set out a specific time limit on how long to store data. Each organisation can set their own, depending on how long they need the data and their purposes. You must remember to document these decisions and they must, above all, be reasonable. Just imagine that you are sat face to face with the ICO police having to justify why you kept that data indefinitely. Are you sure this is going to sound reasonable?

Good luck all.