KPMG Law LLP logo

17 April 2024

Is your organisation storing personal data for too long? Our Data Protection and Privacy Team along with the Forensic Technology Team highlight the relevant considerations relating to data retention in line with the GDPR.

Many organisations struggle to set up a specific retention period for the personal data they process. It is not uncommon to encounter companies that seem to follow the “just in case” approach, storing their personal data for longer than required and, in certain circumstances, “forever”. This approach is not only a breach of the General Data Protection Regulation (“GDPR”), but it can also lead to many risks if the data is mishandled.

Storage Limitation Principle

The GDPR does not establish a recommended period to store personal data, which might lead to confusion; however, it does require to store it only for as long as it is a required. This principle is known as the Storage Limitation Principle, which underscores the importance of establishing clear retention periods for different categories of personal data, considering factors such as the nature of the data, the purposes for which it is processed, and any legal or regulatory requirements.

Retaining data for longer than it is needed carries real financial and reputational risks for an organisation. The most obvious risk relates to data breaches and data subject access requests. The more personal information an organisation holds and retains, the greater its exposure and potential liability if that information is disclosed or requested by a data subject.

Excessive data retention also has significant financial impacts for organisations. Storing, managing and maintaining redundant data and systems across an organisation can incur significant costs. By imposing constraints on data retention, organisations will be able to mitigate the risks including unauthorised access, misuse, or breaches of sensitive information.

Data retention obligations

A detailed examination of data retention under Article 5 GDPR outlines its importance in safeguarding individual privacy rights, ensuring regulatory compliance, and fostering responsible data management practices. Understanding your data retention obligations will also ensure your organisation complies with the following elements of the GDPR:

In summary

Adherence to data retention obligations is paramount for organisations to ensure compliance with the GDPR and demonstrate accountability in their data processing activities.

By implementing robust data retention policies and procedures, organisations can effectively manage the lifecycle of personal data, from collection to deletion, thereby minimising the risks of regulatory non-compliance, data breaches, and reputational damage. Moreover, compliance with data retention requirements serves as a tangible indicator of an organisation's commitment to protecting individual privacy rights and upholding the principles of GDPR.

How can KPMG Law help you?

Our aim in KPMG Law is to help our clients succeed in their privacy journey. Our team can support you by:

Contact the team

Emma Ritchie

Emma Ritchie

Head of Data Protection & Privacy

Rory Byrne

Rory Byrne

Associate Director
KPMG in Ireland

Conor Dixon

Conor Dixon

Senior Associate

Discover more in Data Protection & Privacy Law