This principle is set out in Article 5(1)(e) of the Applied GDPR and requires that personal data is:
"kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed"
The storage limitation principle applies to any personal data or pseudonymised data being processed, but does not apply to personal data that has been anonymised and cannot be re-associated with the particular data subject.
Even if you collect and use personal data fairly and lawfully, you cannot keep it for longer than you actually need it and this principle links with the data minimisation and accuracy principles.
The data protection law does not prescribe any time periods for retention. Controllers must identify and justify the retention periods for the different types of personal data being processed. Retention periods may be set out in laws, statutory obligations or codes of practice or accepted industry standards that apply to the controller.
Why is storage limitation important?
Ensuring that you erase or anonymise personal data when you no longer need it will reduce the risk that it becomes irrelevant, excessive, inaccurate or out of date. Apart from helping you to comply with the data minimisation and accuracy principles, this also reduces the risk that you will use such data in error – to the detriment of all concerned.
Personal data held for too long will, by definition, be unnecessary. You are unlikely to have a lawful basis for retention.
From a more practical perspective, it is inefficient to hold more personal data than you need, and there may be unnecessary costs associated with storage and security.
Remember that you must also respond to subject access requests for any personal data you hold. This may be more difficult if you are holding old data for longer than you need.
Good practice around storage limitation - with clear policies on retention periods and erasure - is also likely to reduce the burden of dealing with queries about retention and individual requests for erasure.
Do we need a retention policy?
Retention policies or retention schedules list the types of record or information you hold, what you use it for, and how long you intend to keep it. They help you establish and document standard retention periods for different categories of personal data.
A retention schedule may form part of a broader ‘information asset register’ (IAR), or your general processing documentation.
To comply with documentation requirements, you need to establish and document standard retention periods for different categories of information you hold wherever possible. It is also advisable to have a system for ensuring that your organisation keeps to these retention periods in practice, and for reviewing retention at appropriate intervals. Your policy must also be flexible enough to allow for early deletion if appropriate. For example, if you are not actually using a record, you should reconsider whether you need to retain it.
If you are a small organisation undertaking occasional low-risk processing, you may not need a documented retention policy.
However, if you don’t have a retention policy (or if it doesn’t cover all of the personal data you hold), you must still regularly review the data you hold, and delete or anonymise anything you no longer need.
It is important that controllers:
- establish the retention periods that apply to the personal data processed for each different purposes;
- implement appropriate retention policies;
- comply, and monitor compliance, with their retention policies.
Details of retention periods are necessary for:
- the new record of activities requirement
- the extended fair processing information to be provided to individuals
- the additional information to be supplied when complying with subject access requests
The new right of individuals to restrict the processing of their personal data includes the right to require a controller to retain personal data even when it is no longer required for the purposes of the controller.
Sources of information about retention periods
There are numerous resources based on legislative requirements and industry best practice standards available on the internet. Such resources may provide a suitable starting point for developing a data retention and destruction policy, not only for 'personal data' but also for other types of business documentation.
Resources, whilst not endorsed by the Commissioner, include the UK's National Archives and the Chartered Institute of Personnel and Development and the UK Government's BusinessLink. Other resources are also available.