Frequently asked questions on data retention Artwork

Clarkslegal Law Bites

The Clarkslegal Law Bites offers guidance and insightful discussions on the latest topics for businesses and individuals covering employment, immigration, corporate, construction, property, litigation and more.

All Episodes

Clarkslegal Law Bites

Frequently asked questions on data retention

February 10, 2025 • Clarkslegal

Data retention is the storage of data for a specific period, guided by legal, operational, and regulatory considerations. While data minimisation principles advocate for limiting the collection and storage of personal data, retaining certain information is often necessary for various purposes.

In this podcast, Jesse Akiwumi and Harry Berryman, members of the Data Protection team at Clarkslegal, address the top frequently asked questions we receive about data retention. These questions include:

How long can an organisation lawfully keep data?
What happens to data that is shared with others?
Why is it important to limit the storage of data?
Do organisations need policies to govern what data is retained and what is destroyed?
What are the consequences of wrongfully deleting information? Can an organisation face criminal charges for deleting or altering information that an individual has requested?
Can an organisation destroy or amend information after responding to a request?

If your organisation needs help drafting a data retention policy or employee training on data protection requirements, please contact our Data Protection Lawyers.

Jesse Akiwumi 00:05

Hello and welcome to our latest Data Protection podcast. My name is Jesse Akiwumi, a trainee solicitor in our Corporate & Commercial and data protection teams, and I am joined by Harry Berryman, a solicitor in our employment and data protection teams.

Today we will be discussing Data Retention, and going through some of the questions we are asked most frequently in relation to data retention.

Harry Berryman 00:25

Hi everyone, thank you Jesse. So, I understand you have some questions for me about data retention?

Jesse Akiwumi 00:31

Yes, it’s a key issue for any individual or business which processes data. Article 5 of the UK GDPR sets out the seven key data principles. The fifth of these, Principle E, is storage limitation.

Under Principle E, an individual or organisation cannot keep personal data for longer than they actually need it but many organisations are unclear about their data protection obligations when it comes to storage, and we hope to provide some clarity during this podcast. To start…

How long can an organisation lawfully keep data?

Harry Berryman 01:03

This is a difficult question to answer!

There are no specific time limits in the UK GDPR for data retention. Data controllers are in the best position to decide this, so the GDPR leaves it to their judgment.

That being said, that doesn’t mean that you can keep all data indefinitely. We can give tailored advice on what is reasonable and for how long your organisation can justify holding certain data.

However, there may also be industry-specific regulations, such as in the finance or healthcare sector, which data controllers do need to be aware of. For example, limited companies must keep financial and accounting records for 6 years from the end of that accounting period.

Jesse Akiwumi 01:43

And what about data that is shared?

Harry Berryman 01:47

If data is shared with third parties, both the original organization and the recipient have responsibilities under the UK GDPR.

Organisations which regularly share data with a particular third party should have data processing agreements, to reduce their risks, so both parties understand what is being done with the data and how long it will be retained for.

These agreements outline data retention obligations and ensure compliance with the UK GDPR.

Jesse Akiwumi 02:13

Many organisations want to know why is it important to limit their data storage, would you be able to provide some clarity?

Harry Berryman 02:21

There are a few main factors – the security of the data, the cost of storing the data, the risk of non-compliance and the rights that Data Subjects have over their data.

The most obvious is security risk - storing data longer than necessary increases the risk of data breaches and cyberattacks and increases the potential damage done should one occur.

Compliance Risk is the risk of Non-compliance with data protection laws, which can result in fines and reputational damage for the company.

Data Subject Rights is one which does not come up often, but is important: Individuals have rights to access, rectify, and erase their data. Limiting storage makes fulfilling these rights easier, and less time consuming.

Equally, storing large amounts of data can be expensive, which is not strictly a risk but is something to consider.

Jesse Akiwumi 03:12

Thank you Harry, moving onto our next frequently asked question, do organisations need policies in place to govern what data is kept and what data is destroyed (like a data retention policy)?

Harry Berryman 03:23

Yes: A data retention policy is crucial for compliance and, should anything go wrong, demonstrating that the company has appropriate policies in place. It should:

Firstly, define data retention periods for different types of data.
It should outline procedures for data destruction.
Assign responsibilities for data retention and destruction.
You should also regularly review and update the policy. We can, of course, help with putting this policy together, as it will be unique to each company and data controller.

Jesse Akiwumi 03:55

Once an organisation identifies the data that is no longer needed, what can they do with this data?

Harry Berryman 04:03

Ideally, data should be securely destroyed to prevent unauthorised access or misuse.

If data is not destroyed or needs to be kept for a long period, it can be anonymised so it no longer identifies individuals.

Jesse Akiwumi 04:18

A concern for many organisations is the consequences of wrongfully deleting information. Can an organisation face criminal charges for deleting or altering information that an individual has requested?

Harry Berryman 04:31

Potentially, yes:

If data is intentionally deleted or altered to prevent an individual from exercising their rights, it could be considered unlawful processing.

In some cases, this could lead to criminal penalties under the UK GDPR and a fine of up to £5,000.

Jesse Akiwumi 04:49

and what can an organisation do if they have already deleted this information?

Harry Berryman 04:55

Explain the situation to the individual and why the data is no longer available.

Explaining the situation will be easier if the organisation has maintained records of the reason for data deletion and can point to a clear policy.

There is a duty created by Section 16 of the Freedom of Information Act and Regulation 9 of the EIR to provide advice and assistance to people making requests. If the information has been deleted, the controller should give what information it can, such as advice if the data has been held elsewhere or if there is similar or related information that can be provided.

Jesse Akiwumi 05:36

Thanks, and can an organisation destroy or amend the information after they have responded to the request?

Harry Berryman 05:37

Generally, No: Once an individual has exercised their rights (e.g., access, rectification), the organisation should generally not alter or delete the data unless there is a legitimate reason – for example, legal or regulatory obligations.

You should also wait to destroy any information until all relevant complaint and appeal provisions have been exhausted.

Jesse Akiwumi 06:12

Some organisations might be in a situation where an individual requests information that was due to be deleted. In cases like these, does an organisation still need to provide the information?

Harry Berryman 06:28

Potentially, yes:

The organisation should assess whether the data is still necessary for the original purpose.

If the data is still relevant to the original purpose, the organisation should fulfil the individual's request.

If the data was due for deletion but needs to be retained to fulfil a request, you should document the reason for the exception.

Jesse Akiwumi 06:50

Thank you Harry, and that brings us to the end of our podcast on frequently asked questions on data retention.

Organisations need to carefully consider, and justify, the reasons for keeping personal data and make sure they have effective systems in place to review the data that they hold.

I hope you have found this podcast useful and if you have any questions on what we have discussed today please get in touch with a member of our data protection team who will be more than happy to help!