Personal data must not be kept for longer than you need it . The UK GDPR does not set a specific period for data retention as different organisations will have different requirements and different reasons that will determine the period for which they store personal data.
It is therefore for you to determine how long to keep the particular types of personal data that you collect. In some cases, other rules and regulations will set specific retention periods, but this will often not be the case. You must also be able to justify your chosen retention period.
You should document your data retention periods in a suitable policy to ensure that all staff handling personal data know what to do with each type of personal data used by your business.
Even once retention periods have been established, it is good practice to periodically review the personal data you hold. It may be that you no longer need data that you had originally decided should be kept for much longer.
Individual data subjects also have rights in this regard, in particular the right to erasure. If a data subject questions your retention of their personal data and it turns out that you do not have a valid reason to keep that data, they can exercise that right and you must erase (or otherwise dispose of) the data in question.
Note also that there are some limited exceptions which permit you to keep personal data for longer, such as public interest reasons, archiving, research for scientific or historical purposes, or for statistical purposes. In a small business context, however, it is likely that you should be aiming to minimise data retention in most cases.
Document Templates Available
- Our Data Retention Policy is designed to set out the limits that apply to the various types of personal data held by your organisation. It is also designed to help establish the criteria by which those limits are set, and to set out how personal data should be deleted or disposed of.
- We also provide a set of Data Retention Guidance Notes which explain data retention and the UK GDPR’s storage limitation principle in more detail, including how that principle ties in with other key aspects of data protection law. The notes also offer practical tips on compliance, particularly with regard to the safe deletion and/or disposal of personal data.