Let Us Guide You Through Your InfoSec & Compliance Journey.
Learn how to use the Compyl Platform.
Watch all Security Session Episodes
Real-world stories on how we help our customers.
The high-profile Facebook-Cambridge Analytica breach of more than 50 million users revealed just how long social media platforms store personal data — decades of conversations, text messages, contacts, and browsing habits. Google collects vast troves of information, around 11 MB of smartphone user data every day.
Regulators in many countries have created strict data privacy laws in response, such as GDPR in Europe. To avoid penalties, it’s essential for your business to understand how long personal data can be kept under GDPR and what data can be collected.
GDPR guidelines don’t specify a timeframe for storing or deleting personal data. Your organization is responsible for setting reasonable time limits, documenting data retention policies, and adhering to them.
To comply with GDPR, you should only keep personal data for as long as you need it to perform business operations. What is considered an acceptable timeframe depends on the nature of the information, your purpose for collecting it, and your industry.
The rules around personal data collection and storage timelines are located in GDPR Article 5 — Principles Relating to Processing of Personal Data. Section (e) states that personally identifiable information should be kept “for no longer than is necessary for the purposes for which the personal data are processed.”
In other words, your organization can’t store information on consumers, employees, or customers forever. You have to set clear limits and justify your timeframe by outlining exactly why and how you use the data.
Data minimization is one of the key principles that affect how long you can keep personal data under GDPR rules. It means gathering the least amount of data possible to achieve your purposes and storing it for the shortest time possible.
GDPR requires a targeted approach to information gathering and data retention; broad or vague reasons for storing personal data aren’t acceptable to EU regulators. As soon as personal data has served its legitimate purpose, processors and controllers must dispose of it following the steps outlined in your document retention policy.
For example, unless a customer wants to store a payment method for faster checkout, there’s no good reason to record a customer’s credit card details — outside of the encrypted transaction records provided by your point-of-sale system. PINs should only be used for verification purposes and deleted immediately afterward.
According to Article 4, the definition of personal data in GDPR refers to any information that can be used to identify an individual either directly or when combined with reasonably available information. Examples of personal data include:
Biometric information, such as fingerprint scans and facial recognition data, is also considered personal data. To avoid accidental violations, your company needs to keep track of all the types of data you collect on employees and customers.
It can be complicated to determine what the GDPR “no longer than is necessary” requirement means for your business. Implementing GDPR best practices requires some skillful juggling: your business needs to limit data collection and minimize storage periods but also comply with tax, legal, and financial obligations.
Under GDPR, what is considered personal data varies by industry. In healthcare, personal data includes names, contact numbers, medical records, blood tests, and insurance information. Storing this data for a long time is relevant to the person’s health and allows for effective treatment.
GDPR doesn’t cancel national records retention laws. In the Netherlands, doctors must keep patient records for 20 years after the last visit. In the UK, hospitals have to store records until 10 years after the individual’s death.
Employers collect the personal data of workers for payroll, bank deposits, performance evaluations, access control measures, tax withholding, and benefits. An extended retention policy makes sense as long as the person works for you.
What if your employee quits? In that case, you need to treat their records like any other personal data, deleting it as soon as you legally can. Avoid holding onto bank account data, social security numbers, addresses, or phone numbers unless government regulations require it or your legal team tells you to.
Businesses often retain customer records and purchase histories for years to better understand target audiences. Processing records in this way can be a legitimate purpose if you receive consent, but the longer you store sensitive data, the greater the risk.
To avoid this risk, GDPR rules encourage anonymizing analytics data by removing personal identifiers. You can store this “clean” data indefinitely.
Article 17 of GDPR gives individuals the “right to be forgotten,” which means they can withdraw processing consent and ask you to delete their data. As long as the person’s request is legitimate (not related to contractual services or government requirements), you must destroy the records “without undue delay.” The EU generally sets a time limit of one month.
Creating a data retention policy that aims to minimize PII storage isn’t just good for GDPR compliance. It can also protect your organization financially. The more sensitive information you have, the higher the potential cost of a data breach — including class action lawsuits from affected individuals.
GDPR access and accuracy requirements can also make it expensive to hold onto personal data for too long. After many years, finding and updating PII for customer records requests can be excessively time-consuming.
It’s not easy for businesses with thousands of customers or hundreds of employees to keep track of how long personal data is kept, but GDPR compliance requires adhering strictly to your retention policy. Workflow automation platforms such as Compyl make the process of tracking and organizing records much simpler. See how it simplifies GDPR compliance across the board.
