One of the core principles of the GDPR is the storage limitation principle.
This principle means that you must not retain personal data for any longer
than you need it in light of the purpose or purposes for which it was
Complying with this principle requires you to determine suitable retention
periods for all personal data collected, held, and processed by your
organisation. Some of these periods will be pre-determined by law, but many
will not be. You must, therefore, think carefully about how long you will
truly need personal data and keep track of it once you have it. Reviewing
your retention of that data after acquiring it will also be important.
Establishing a lawful basis for processing personal data is an important
first step, and connects directly to your chosen purpose or purposes for
using the personal data in question. The data minimization principle
requires you to ensure that you do not collect more personal data than is
necessary with such purposes in mind, and you must ensure that the personal
data is accurate and not misleading. Add to that the existence of key data
subject rights such as the right of access, the right to rectification, and
the right to erasure (aka the ‘right to be forgotten’) and it becomes clear
how closely interlinked the GDPR’s various provisions are. Keeping personal
data for only as long as it is needed, therefore, helps to ensure
compliance with far more than just the storage limitation principle alone.
New Guide to the Storage Limitation Principle
Our existing Data Retention Policy template is now joined by a new set of
Data Retention Guidance Notes. This new guide has been designed to explain
the storage limitation principle in more detail, and includes observations
on how it connects with other important parts of the GDPR, further
underlining the benefits of complying with it.
Practical tips are also included, with a particular focus on the secure
deletion of electronic data and pointers on the often-overlooked life of
the paper document. Despite numerous predictions of the paperless office
over the decades, paper records remain very much a part of modern business,
and must be handled just as carefully as their electronic brethren when it
comes to data protection.
The GDPR has been in effect for a year and a month now, and even if you
were fully ready and compliant on day one, now is the ideal time to review
your compliance, evaluating the success of your data protection measures,
and looking for improvements throughout your business. So don’t delay,
start looking again at your personal data retention today!
The contents of this Newsletter are for reference purposes only and do not constitute
legal advice. Independent legal advice should be sought in relation to any specific