If you don’t need it, why keep it? The General Data Protection Regulation (GDPR) states that identifiable personal data should not be kept for longer than is necessary for its defined purposes. So even if you collect and use personal data in a fair and lawful way, you must not keep it for longer than you actually need it. Therefore, you must delete/erase or anonymise this data.
Although the GDPR does not stipulate a specific time period for deleting data, there are laws in each member state that govern the retention of data for many different types of data. Usually, it is data related to tax and financial matters that needs to be kept longer. 5, 7, 10 years are the usual periods.
Data that have no legal retention periods, a deletion schedule applies based on the purpose of the processing. Therefore, the company that owns this data is in the best position to judge this. But be careful. If you keep data indefinitely, “just in case,” or if there is only a slight chance that you will use it, you make yourself just as liable as if you had collected that data unlawfully. You must always be able to justify the retention period you choose.
Also, for security reasons, it is not highly recommended to keep data for long periods of time. More data leads to more data security costs. We also need to factor in the risk of a data breach, and the more data you have, the greater the likelihood of a data leak.
Removing personal data from physical documents is the simplest process. Shredding the documents and all copies of them is enough. Deleting digital data, on the other hand, can be more difficult. You need to make sure you have deleted the archive from all sources: the company servers, your internal computer files, and any emails still in employees’ inboxes.
Anonymization can also be a viable option. To do this, you need to remove the personally identifiable information from the records so that the people describing the data are truly anonymous.
However, from a retention perspective, anonymization may not be the best solution. Anonymized data may not be personal data, but it is still data. Storing any type of data requires additional storage space and incurs additional costs. So it is inefficient and unproductive to keep data that you may never need again.
After all, you needed the personal data to achieve the purpose for which it was processed. If the data no longer contains the information you need, chances are you will never use it again.
In summary, adhering to the principle of storage limitation means that you should delete data you no longer need as soon as its purpose ceases to exist.
To learn more about GDPR principles don’t forget to read our previous article.
Need some help on the road to compliance? Contact us today!