Is it wise to keep personal data for longer than necessary?


Copyright 2020 CEP Magazine, a publication of the Society of Corporate Compliance and Ethics (SCCE).

As data protection laws continue to evolve around the world, one of the core data protection principles – storage limitation – remains a priority. It requires organisations to retain personal data for only as long as it is necessary for the purposes for which they are required. The challenge is that the necessary amount of time has not been defined.

The European Union General Data Protection Regulation provides specific requirements for the storage limitation principle, saying that personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”[1]

If data are truly the “oil of the internet,” then they have value. That’s why businesses often keep data for as long as possible, saying that they never know when the data might be useful. However, keeping personal data longer than is necessary turns that information into toxic data. If leaked, they can have disastrous consequences not only for the individuals whose data are uncontrolled but also for the business that loses control of the same data.

To read the full article in PDF format, see here: ‘Is it wise to keep personal data for longer than necessary?

You can also view the article via the compliance cosmo website – CEP Magazine – May 2020

[1] Council Regulation 2016/679, General Data Protection Regulation, 2016 O.J. L119., Article 5 (1)(e).

Robert Bond

Related Articles