One of the core principles of the GDPR is the storage limitation principle.
This principle means that you must not retain personal data for any longer
than you need it in light of the purpose or purposes for which it was
Complying with this principle requires you to determine suitable retention
periods for all personal data collected, held, and processed by your
organisation. Some of these periods will be pre-determined by law, but many
will not be. You must, therefore, think carefully about how long you will
truly need personal data and keep track of it once you have it. Reviewing
your retention of that data after acquiring it will also be important.
When you decide personal data is no longer needed, it must be deleted or
otherwise disposed of, or rendered ‘non-personal’ using a suitable
These Data Retention Guidance Notes have been designed to explain the
GDPR’s storage limitation principle in more detail, including how that
principle ties in with other key elements of data protection law. Practical
tips are also offered on compliance, particularly with regard to the safe
deletion and/or disposal of personal data that is no longer needed, both in
electronic and hardcopy forms.
Reference is also made in this document to a Data Retention Policy. To
download our Data Retention Policy template, please click here.
These Data Retention Guidance Notes contain the following parts:
1. Purpose and Lawful Basis
2. Data Minimization
3. Keeping Data Accurate and Up-to-Date
4. Storage Limitation
5. After the Retention Period
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.