Data Protection and Storage Limitation Guide

One of the core principles of the GDPR is the storage limitation principle. This principle means that you must not retain personal data for any longer than you need it in light of the purpose or purposes for which it was originally obtained.

Complying with this principle requires you to determine suitable retention periods for all personal data collected, held, and processed by your organisation. Some of these periods will be pre-determined by law, but many will not be. You must, therefore, think carefully about how long you will truly need personal data and keep track of it once you have it. Reviewing your retention of that data after acquiring it will also be important.

When you decide personal data is no longer needed, it must be deleted or otherwise disposed of, or rendered ‘non-personal’ using a suitable anonymization process.

These Data Retention Guidance Notes have been designed to explain the GDPR’s storage limitation principle in more detail, including how that principle ties in with other key elements of data protection law. Practical tips are also offered on compliance, particularly with regard to the safe deletion and/or disposal of personal data that is no longer needed, both in electronic and hardcopy forms.

Reference is also made in this document to a Data Retention Policy. To download our Data Retention Policy template, please click here.

These Data Retention Guidance Notes contain the following parts:

Introduction
1. Purpose and Lawful Basis
2. Data Minimization
3. Keeping Data Accurate and Up-to-Date
4. Storage Limitation
5. After the Retention Period
6. Conclusions

Once you have purchased access to the appropriate document folder click on the “Download Document” link below. You will be asked what you want to do with the file. It is recommended that you save the document to a location of your choice prior to viewing.