Deletion of data - GDPR article 5e - storage limitation

Hi all

If there's one thing that stresses businesses out, its the principle of storage limitation, GDPR article 5e. This principle is mirrored in the data protection act where it says that the fifth data protection principle is where the data is kept only for as long as is necessary for the purpose for which it is (initially) processed. In other words, if the data is 'past its sell by date' it's maybe time to get rid of it, and that's worrying for some.

There are caveats to this, you can keep data if you can prove its for historical, scientific, public interest or for statistical purposes but for the most of us in business, we're not going to get away with keeping data forever on this premise. In fact the GDPR and Data Protection Acts are actually telling you that should you keep data for 'longer periods' you need to do your utmost to protect it and or anonymise the information. Whatever point of view you have on this is interesting, what I'd like to add is that should you suffer a data breach, then it's still a violation, so that leads me on nicely to this - what if you had less data to be breached? Let us look at this further.

Let's say you gather a lot of personal data, sitting in unused accounts or databases for years on end; if someone was to hack your system or a disgruntled employee decided that they wanted to sell, or even worse spread the content over the internet, you'll have a problem. The first thing to do to before anything happens is combat the potential problem by risk assessment and discuss it, who has access to the information in the first place? It's one thing you may want to consider.

Let's move on a fraction to this subject of deletion; the regulations are not saying the word delete but they are implying it and in the case of article 5e of the GDPR, it's certainly saying that you can only keep it (the data) in a form for only as long as is necessary, so we need to define something here and that is a retention policy. Should you write your data retention policy and discuss it you are going to uncover some truths about your business and that is 1. You'll quickly find out what data you have that is at risk and 2. You'll find that this principle worries people. You need to decide how long you are going to keep data and if you are going to keep it for longer 'than is necessary' then you'll need to anonymise the information so as the data subject (a natural person) can no longer be identified from it. What you don't want to do is to put your business at risk here, you may want to get rid of information, by law you may need to but you must not put your businesses into jeopardy here just for the sake of it, you must be sensible in your attempts to define what data is not necessary any more.

What i've found in my experience is these information databases that are built to house personal information, don't take too kindly when the instruction is given to delete information. Data protection by design and by default is something that will continue no doubt, but are developers and designers building these databases with deletion of records in mind? I very much doubt it.

People look at this clause and call it the 'deletion clause', that's because the GDPR is implying that should you not need data anymore then you are to get rid of it - and in a secure manner to boot. But how, when and where you do that is up to you. We hear on the TV or on social media when companies are being prosecuted for data breaches - and some of them will wonder why they had so much data in the first place.

Storage limitation is an interesting article, it's bound to cause some friction in business, you'll just need to discuss it and have a sensible retention policy in place.

Just one more thing, should you decide to continually process data, yes storage is processing, then you'll need a reason in law to do this, and it comes from article 6 of the GDPR, something we'll talk about in the future. Basically you have to have a reason in law to store data beyond it's usage point.

Thanks for reading


Steven Burgess is a consultant and Data Protection Officer for Disclosure Services Limited, a company who process data in relation to criminal record checks.