At a glance
- You must not keep personal data for longer than you need it.
- You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
- You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
- You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
- You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
- You can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes.
☐ We know what personal data we hold and why we need it.
☐ We carefully consider and can justify how long we keep personal data.
☐ We have a policy with standard retention periods where possible, in line with documentation obligations.
☐ We regularly review our information and erase or anonymise personal data when we no longer need it.
☐ We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’.
☐ We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.
For more detailed checklists and practice advice on retention, please use the ICO’s self-assessment toolkit - records management checklist
- What’s new under the GDPR?
- What is the storage limitation principle?
- Why is storage limitation important?
- Do we need a retention policy?
- How should we set retention periods?
- When should we review our retention?
- What should we do with personal data that we no longer need?
- How long can we keep personal data for archiving, research or statistical purposes?
- How does this apply to data sharing?
The storage limitation principle is broadly similar to the fifth principle (retention) of the 1998 Act. The key point remains that you must not keep data for longer than you need it.
Although there is no underlying change, the GDPR principle does highlight that you can keep anonymised data for as long as you want. In other words, you can either delete or anonymise the personal data once you no longer need it.
Instead of an exemption for research purposes, the GDPR principle specifically says that you can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes (and you have appropriate safeguards).
New documentation provisions mean that you must now have a policy setting standard retention periods where possible.
There are also clear links to the new right to erasure (right to be forgotten). In practice, this means you must now review whether you still need to keep personal data if an individual asks you to delete it.
Article 5(1)(e) says:
“1. Personal data shall be:
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”
So, even if you collect and use personal data fairly and lawfully, you cannot keep it for longer than you actually need it.
There are close links here with the data minimisation and accuracy principles.
The GDPR does not set specific time limits for different types of data. This is up to you, and will depend on how long you need the data for your specified purposes.
Ensuring that you erase or anonymise personal data when you no longer need it will reduce the risk that it becomes irrelevant, excessive, inaccurate or out of date. Apart from helping you to comply with the data minimisation and accuracy principles, this also reduces the risk that you will use such data in error – to the detriment of all concerned.
Personal data held for too long will, by definition, be unnecessary. You are unlikely to have a lawful basis for retention.
From a more practical perspective, it is inefficient to hold more personal data than you need, and there may be unnecessary costs associated with storage and security.
Remember that you must also respond to subject access requests for any personal data you hold. This may be more difficult if you are holding old data for longer than you need.
Good practice around storage limitation - with clear policies on retention periods and erasure - is also likely to reduce the burden of dealing with queries about retention and individual requests for erasure.
Retention policies or retention schedules list the types of record or information you hold, what you use it for, and how long you intend to keep it. They help you establish and document standard retention periods for different categories of personal data.
A retention schedule may form part of a broader ‘information asset register’ (IAR), or your general processing documentation.
To comply with documentation requirements, you need to establish and document standard retention periods for different categories of information you hold wherever possible. It is also advisable to have a system for ensuring that your organisation keeps to these retention periods in practice, and for reviewing retention at appropriate intervals. Your policy must also be flexible enough to allow for early deletion if appropriate. For example, if you are not actually using a record, you should reconsider whether you need to retain it.
If you are a small organisation undertaking occasional low-risk processing, you may not need a documented retention policy.
However, if you don’t have a retention policy (or if it doesn’t cover all of the personal data you hold), you must still regularly review the data you hold, and delete or anonymise anything you no longer need.
Further reading – records management and retention schedules
The National Archives (TNA) publishes practical guidance for public authorities on a range of records management topics, including retention and disposal. This guidance can help you comply with the storage limitation principle (even if you are not a public authority):
The GDPR does not dictate how long you should keep personal data. It is up to you to justify this, based on your purposes for processing. You are in the best position to judge how long you need it.
You must also be able to justify why you need to keep personal data in a form that permits identification of individuals. If you do not need to identify individuals, you should anonymise the data so that identification is no longer possible.
- You should consider your stated purposes for processing the personal data. You can keep it as long as one of those purposes still applies, but you should not keep data indefinitely ‘just in case’, or if there is only a small possibility that you will use it.
A bank holds personal data about its customers. This includes details of each customer’s address, date of birth and mother’s maiden name. The bank uses this information as part of its security procedures. It is appropriate for the bank to retain this data for as long as the customer has an account with the bank. Even after the account has been closed, the bank may need to continue holding some of this information for legal or operational reasons for a further set time.
A bank may need to retain images from a CCTV system installed to prevent fraud at an ATM machine for several weeks, since a suspicious transaction may not come to light until the victim gets their bank statement. In contrast, a pub may only need to retain images from their CCTV system for a short period because incidents will come to light very quickly. However, if a crime is reported to the police, the pub will need to retain images until the police have time to collect them.
A tracing agency holds personal data about a debtor so that it can find that individual on behalf of a creditor. Once it has found the individual and reported to the creditor, there may be no need to retain the information about the debtor – the agency should remove it from their systems unless there are good reasons for keeping it. Such reasons could include if the agency has also been asked to collect the debt, or because the agency is authorised to use the information to trace debtors on behalf of other creditors.
- You should consider whether you need to keep a record of a relationship with the individual once that relationship ends. You may not need to delete all personal data when the relationship ends. You may need to keep some information so that you can confirm that the relationship existed – and that it has ended – as well as some of its details.
A business may need to keep some personal data about a previous customer so that they can deal with any complaints the customer might make about the services they provided.
An employer should review the personal data it holds about an employee when they leave the organisation’s employment. It will need to retain enough data to enable the organisation to deal with, for example, providing references or pension arrangements. However, it should delete personal data that it is unlikely to need again from its records – such as the employee’s emergency contact details, previous addresses, or death-in-service beneficiary details.
A business receives a notice from a former customer requiring it to stop processing the customer’s personal data for direct marketing. It is appropriate for the business to retain enough information about the former customer for it to stop including that person in future direct marketing activities.
- You should consider whether you need to keep information to defend possible future legal claims. However, you could still delete information that could not possibly be relevant to such a claim. Unless there is some other reason for keeping it, personal data should be deleted when such a claim could no longer arise.
An employer receives several applications for a job vacancy. Unless there is a clear business reason for doing so, the employer should not keep recruitment records for unsuccessful applicants beyond the statutory period in which a claim arising from the recruitment process may be brought.
- You should consider any legal or regulatory requirements. There are various legal requirements and professional guidelines about keeping certain kinds of records – such as information needed for income tax and audit purposes, or information on aspects of health and safety. If you keep personal data to comply with a requirement like this, you will not be considered to have kept the information for longer than necessary.
- You should consider any relevant industry standards or guidelines. For example, we have agreed that credit reference agencies are permitted to keep consumer credit data for six years. Industry guidelines are a good starting point for standard retention periods and are likely to take a considered approach. However, they do not guarantee compliance. You must still be able to explain why those periods are justified, and keep them under review.
You must remember to take a proportionate approach, balancing your needs with the impact of retention on individuals’ privacy. Don’t forget that your retention of the data must also always be fair and lawful.
You should review whether you still need personal data at the end of any standard retention period, and erase or anonymise it unless there is a clear justification for keeping it for longer. Automated systems can flag records for review, or delete information after a pre-determined period. This is particularly useful if you hold many records of the same type.
It is also good practice to review your retention of personal data at regular intervals before this, especially if the standard retention period is lengthy or there is potential for a significant impact on individuals.
If you don’t have a set retention period for the personal data, you must regularly review whether you still need it.
However, there is no firm rule about how regular these reviews must be. Your resources may be a relevant factor here, along with the privacy risk to individuals. The important thing to remember is that you must be able to justify your retention and how often you review it.
You must also review whether you still need personal data if the individual asks you to. Individuals have the absolute right to erasure of personal data that you no longer need for your specified purposes.
You can either erase (delete) it, or anonymise it.
You need to remember that there is a significant difference between permanently deleting personal data, and taking it offline. If personal data is stored offline, this should reduce its availability and the risk of misuse or mistake. However, you are still processing personal data. You should only store it offline (rather than delete it) if you can still justify holding it. You must be prepared to respond to subject access requests for personal data stored offline, and you must still comply with all the other principles and rights.
The word ‘deletion’ can mean different things in relation to electronic data, and we recognise it is not always possible to delete or erase all traces of the data. The key issue is to ensure you put the data beyond use. If it is appropriate to delete personal data from a live system, you should also delete it from any back-up of the information on that system.
We produced detailed guidance on the issues surrounding deletion under the 1998 Act. This will be updated for the GDPR in due course, but in the meantime still offers useful guidance on the practical issues surrounding deletion:
Alternatively, you can anonymise the data so that it is no longer “in a form which permits identification of data subjects”.
Personal data that has been pseudonymised – eg key-coded – will usually still permit identification. Pseudonymisation can be a useful tool for compliance with other principles such as data minimisation and security, but the storage limitation principle still applies.
You can keep personal data indefinitely if you are holding it only for:
- archiving purposes in the public interest;
- scientific or historical research purposes; or
- statistical purposes.
Although the general rule is that you cannot hold personal data indefinitely ‘just in case’ it might be useful in future, there is an inbuilt exception if you are keeping it for these archiving, research or statistical purposes.
You must have appropriate safeguards in place to protect individuals. For example, pseudonymisation may be appropriate in some cases.
This must be your only purpose. If you justify indefinite retention on this basis, you cannot later use that data for another purpose - in particular for any decisions affecting particular individuals. This does not prevent other organisations from accessing public archives, but they must ensure their own collection and use of the personal data complies with the principles.
If you share personal data with other organisations, you should agree between you what happens once you no longer need to share the data. In some cases, it may be best to return the shared data to the organisation that supplied it without keeping a copy. In other cases, all of the organisations involved should delete their copies of the personal data.
Personal data about the customers of Company A is shared with Company B, which is negotiating to buy Company A’s business. The companies arrange for Company B to keep the information confidential, and use it only in connection with the proposed transaction. The sale does not go ahead and Company B returns the customer information to Company A without keeping a copy.
The organisations involved in an information-sharing initiative may each need to set their own retention periods, because some may have good reasons to retain personal data for longer than others. However, if you all only hold the data for the purposes of the data-sharing initiative and it is no longer needed for that initiative, then all organisations with copies of the information should delete it.