Complying with the GDPR's Storage Limitation Principle

One of the core principles of the GDPR is the storage limitation principle. This principle means that you must not retain personal data for any longer than you need it in light of the purpose or purposes for which it was originally obtained.

Complying with this principle requires you to determine suitable retention periods for all personal data collected, held, and processed by your organisation. Some of these periods will be pre-determined by law, but many will not be. You must, therefore, think carefully about how long you will truly need personal data and keep track of it once you have it. Reviewing your retention of that data after acquiring it will also be important.

Establishing a lawful basis for processing personal data is an important first step, and connects directly to your chosen purpose or purposes for using the personal data in question. The data minimization principle requires you to ensure that you do not collect more personal data than is necessary with such purposes in mind, and you must ensure that the personal data is accurate and not misleading. Add to that the existence of key data subject rights such as the right of access, the right to rectification, and the right to erasure (aka the ‘right to be forgotten’) and it becomes clear how closely interlinked the GDPR’s various provisions are. Keeping personal data for only as long as it is needed, therefore, helps to ensure compliance with far more than just the storage limitation principle alone.

New Guide to the Storage Limitation Principle

Our existing Data Retention Policy template is now joined by a new set of Data Retention Guidance Notes. This new guide has been designed to explain the storage limitation principle in more detail, and includes observations on how it connects with other important parts of the GDPR, further underlining the benefits of complying with it.

Practical tips are also included, with a particular focus on the secure deletion of electronic data and pointers on the often-overlooked life of the paper document. Despite numerous predictions of the paperless office over the decades, paper records remain very much a part of modern business, and must be handled just as carefully as their electronic brethren when it comes to data protection.

The GDPR has been in effect for a year and a month now, and even if you were fully ready and compliant on day one, now is the ideal time to review your compliance, evaluating the success of your data protection measures, and looking for improvements throughout your business. So don’t delay, start looking again at your personal data retention today!