The gist of the storage limitation principle under the General Data Protection Regulation (“GDPR”) (Art 5(1)(e)) isn’t materially different to the existing principle under the Data Protection Directive. In a nutshell, personal data should not be retained longer than necessary, in relation to the purpose for which such data is processed.
There are a few more things to consider in the wording of the principle, the main one being the allowance of longer storage for research purposes. However, these are not big points.
Nonetheless, all organisations should be treating the implementation of the GDPR as an opportunity to revise and update their data retention policies. There are a number of reasons for this. Firstly, as is often repeated, the GDPR is a game changer in that it requires all organisations to take their data handling responsibilities more seriously. As such, it is important for such organisations to have documented policies in place to enable their staff to have a clear understanding of what’s required of them. Moreover, the GDPR’s new accountability principle should encourage organisations to have something ready to show to the regulator in the event of problems.
Just as importantly, organisations should consider the expanded set of rights data subjects enjoy under the GDPR and how this may impact their data retention considerations. For example, one of the most familiar rights is the right of access, the obligation for controllers to provide individuals with access to their personal data. This is an onerous right already and yet it becomes more onerous under the GDPR (with the shortened response time, removal of the fee and the expanded categories of information which must be supplied in response to the request). Put simply, however, the right doesn’t apply to an organisation that isn’t holding the data. As such, there are powerful commercial arguments complimenting the compliance arguments as to why organisations should maintain a data retention policy.
Any such policy should at least satisfy the following broad questions:
- Which categories of data does the policy cover?
- Who has responsibility for those categories of data and who has specific obligations under the policy?
- Other than data protection laws, what other rules, codes or practices should be considered?
- Subject to the above, when should data be retained and when should it be deleted?
- When should certain data be made exempt from the general deletion principles (i.e. ‘litigation holds’)?
- When should certain data be made exempt from the general retention principles (i.e. individuals exercising their right to be forgotten)?
Whilst organisations may have to invest some time and money in getting such a policy right in the first place, it may actually provide a tangible cost saving in the long run.
By Jonathan McDonald, Senior Associate at Charles Russell Speechlys LLP