Want to watch this video? Sign up for the course here. Or enter your email below to watch one free video.

Unlock This Video Now for FREE

This video is normally available to paying customers.
You may unlock this video for FREE. Enter your email address for instant access AND to receive ongoing updates and special discounts related to this topic.

The fifth privacy principle is Storage Limitation. “Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

To comply with this principle you must not keep personal data for longer than you need it, you will need to consider and be able to justify your reasons for retaining data and this will depend on your purpose or purposes for holding it.

You will need a policy setting out your standard retention periods for different processing activities and the data you hold should be reviewed periodically. Where possible, data should be erased or anonymised when it is no longer required. Be aware that individuals have the right to erasure if you no longer need the data. Make sure that you have appropriate processes in place to deal with any requests for erasure.

Anonymising or erasing data that you no longer need reduces the risk of it becoming inaccurate, excessive or irrelevant. If you hold data for longer than is necessary you are unlikely to have a lawful basis for retaining the data. Holding data can also increase storage costs and raise more potential security risks and there is also the added responsibility for responding to any subject access requests that individuals can make to find out what data you are holding about them.

It’s important that you provide information about how long you will retain personal data on your Privacy Policy. How long you need to hold data often depends on the data itself, for example, personal data for payroll and accounting may be 6 years whereas personal data regarding people you have unsuccessfully marketed to would only be retained for a short period of time.

Although small organisations are, in many cases, not required to formally document processing activities, it is advisable to create a clear retention policy which helps to review the data you hold and to help you to decide and consider your justification for retaining it.