Storage Limitation: GDPR Privacy Principle

Overview

The fifth privacy principle, known as Storage Limitation, states:

“Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”

Compliance Requirements

To comply with this principle:

• Reasonable Retention: Personal data should not be kept longer than necessary.
• Justification: Reasons for retaining data must be justified based on processing purposes.
• Retention Policy: Establish standard retention periods for different processing activities.
• Periodic Review: Review data periodically to ensure compliance.

Data Erasure and Anonymisation

Ensure:

• Erasure: Data is erased or anonymised when no longer needed.
• Subject Requests: Processes are in place to handle requests for erasure.

Benefits of Timely Data Management

Timely management:

• Reduced Risks: Reduces risks of data becoming inaccurate, excessive, or irrelevant.
• Lawful Basis: Ensures compliance with lawful basis for data retention.
• Cost and Security: Reduces storage costs and potential security risks.

Information Provision

Include in Privacy Policy:

• Retention Periods: Information about how long personal data will be retained.
• Examples: Provide examples of retention periods based on data types.

Importance of Retention Policy

Even for small organisations:

• Documentation: Establish a clear retention policy for data management.
• Review and Justification: Helps review and justify data retention practices.