Data Retention Periods

17 April 2024

Is your organisation storing personal data for too long? Our Data Protection and Privacy Team along with the Forensic Technology Team highlight the relevant considerations relating to data retention in line with the GDPR.

Many organisations struggle to set up a specific retention period for the personal data they process. It is not uncommon to encounter companies that seem to follow the “just in case” approach, storing their personal data for longer than required and, in certain circumstances, “forever”. This approach is not only a breach of the General Data Protection Regulation (“GDPR”), but it can also lead to many risks if the data is mishandled.

Storage Limitation Principle

The GDPR does not establish a recommended period to store personal data, which might lead to confusion; however, it does require to store it only for as long as it is a required. This principle is known as the Storage Limitation Principle, which underscores the importance of establishing clear retention periods for different categories of personal data, considering factors such as the nature of the data, the purposes for which it is processed, and any legal or regulatory requirements.

Retaining data for longer than it is needed carries real financial and reputational risks for an organisation. The most obvious risk relates to data breaches and data subject access requests. The more personal information an organisation holds and retains, the greater its exposure and potential liability if that information is disclosed or requested by a data subject.

Excessive data retention also has significant financial impacts for organisations. Storing, managing and maintaining redundant data and systems across an organisation can incur significant costs. By imposing constraints on data retention, organisations will be able to mitigate the risks including unauthorised access, misuse, or breaches of sensitive information.

Data retention obligations

A detailed examination of data retention under Article 5 GDPR outlines its importance in safeguarding individual privacy rights, ensuring regulatory compliance, and fostering responsible data management practices. Understanding your data retention obligations will also ensure your organisation complies with the following elements of the GDPR:

The principle of lawfulness, fairness, and transparency, which emphasises the importance of processing personal data in a manner that is compliant with legal requirements and respectful of individuals' rights. By establishing clear and transparent data retention policies, organisations demonstrate their commitment to ethical data handling practices, thereby enhancing trust and accountability.
Purpose limitation is a principle that mandates that personal data should be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Accordingly, data retention practices should align with the purposes for which the data was originally collected, ensuring that personal data is not retained beyond what is necessary to fulfill those purposes. This principle also encompasses the concept of data minimisation, advocating for the collection and storage of only the minimum amount of personal data required for the intended purpose.
Data Accuracy mandates that personal data must be accurate and kept up to date. Organisations are required to take reasonable steps to ensure that inaccurate personal data is rectified or erased without delay, this is a key reason to ensure companies have a data erasure process in place.
The Right to Erasure (commonly known as the right to be forgotten) involves establishing clear retention periods and mechanisms for data deletion. Organisations must empower data subjects to exercise greater control over their personal data, enabling them to request the removal of their data once it is no longer necessary for the purposes for which it was collected. This not only enhances individuals' privacy rights but also fosters trust and transparency in the data processing ecosystem.

In summary

Adherence to data retention obligations is paramount for organisations to ensure compliance with the GDPR and demonstrate accountability in their data processing activities.

By implementing robust data retention policies and procedures, organisations can effectively manage the lifecycle of personal data, from collection to deletion, thereby minimising the risks of regulatory non-compliance, data breaches, and reputational damage. Moreover, compliance with data retention requirements serves as a tangible indicator of an organisation's commitment to protecting individual privacy rights and upholding the principles of GDPR.

How can KPMG Law help you?

Our aim in KPMG Law is to help our clients succeed in their privacy journey. Our team can support you by:

Reviewing your data management policies;
Ensuring your data retention schedules are in line with the storage limitation principle;
Reviewing the data retention clauses in any contracts with third parties;
Analysing your data retention practices ensuring compliance with the GDPR;
Assist with data identification, preservation, archival and/or deletion across your environment;
Advise on strengthening your organisation's information governance framework and capabilities;
Prepare data mapping process documentation to improve data privacy compliance; and
Assist in improving your processes in response to Data Subject Access Requests.