How Long Can Businesses Keep Personal Data?
Creating a data retention policy is a “stealth” requirement under several privacy laws, and it’s one that businesses often struggle with. For many, the idea of not keeping data forever is counterintuitive, if not outright foolish. Data is a resource, so it should be used and not thrown away, right?
Putting aside the other very good reasons for implementing a data retention policy—such as improving information security and reducing legal liabilities—when it comes to privacy compliance, a lot of people just want to know the maximum amount of time they can keep personal data and remain compliant.
As Long as Necessary, But No Longer
While it varies from law to law, the general rule is that businesses may retain personal data for as long as is necessary to fulfill the purposes for which it was collected. Note that the standard is not that data may be kept as long as it is still potentially useful; it can only be kept as long as it’s necessary.
The European Commission put it even more bluntly: “Data must be stored for the shortest time possible.”
Practical Guidance
Businesses may be frustrated by the lack of specific data retention periods for them to follow, but it would be difficult (if not impossible) to come up with a single rule that applies across all situations. Contextual information such as the nature of the personal data, the nature of the organization, and the processing purposes must all be taken into account. For example, data collected in order to service a lifetime product guarantee will probably remain necessary for longer than data collected to send promotional emails.
However, this lack of specificity should not be interpreted as a lack of enforceability. Especially under the GPDR, organizations are regularly fined for violations of data minimization rules.
When defining your business’s data retention periods, bear in mind that it is you, the regulated business, who will bear the burden of demonstrating you only keep personal data as long as is necessary. As the retention period gets longer, it will be an increasingly uphill battle to demonstrate that necessity. For example, if you’ve decided to keep marketing information for 20 years from the last contact with a consumer, it will be tough for most organizations to argue that that data remains necessary for so long.
Businesses that are subject to the GDPR should also look into local rules that may provide more guidance. French data protection authorities, for example, have published guidelines recommending that marketing contact information only be retained for up to three years from the last contact with an individual. Anything longer than that, and the business must explain why it is necessary. (See this rule in action)