Understanding Data Retention Obligations Set by the GDPR

What is the GDPR?

The General Data Protection Regulation ("GDPR") is a EU regulation designed to strengthen and unify data privacy for all individuals in the European Union ("EU"). Along with ePrivacy Regulation, GDPR is a pillar of the EU’s digital privacy and security strategy. GDPR is intended to address the country-specific regulations that existed prior to being codified by GDPR. GDPR also addresses privacy, security, and data processing concepts introduced in contemporary digital technologies and services that have developed since the last major update to the EU data protection framework in 1995.
GDPR became enforceable on May 25 , 2018 and is one of the most robust updates to the way governments regulate privacy and data security. The regulation does not require individual countries to enact specific laws. However, GDPR provides guidance to EU countries to strengthen existing privacy regulations and protections within their borders.
GDPR does not just apply to EU-based companies, but also to any data controller or processor located outside the EU that processes the personal data ("Personal Data") of individuals who are within the jurisdiction of the EU (i.e., EU citizens and residents). It therefore has far-reaching effects and implications worldwide.

GDPR Data Retention Objectives

As GDPR emphasises, data minimisation is a key principle that must inform all processing. This means that, save for the exceptions set out below, organisation’s will only be able to retain personal data for as long as is necessary for the purpose for which they have been collected. Relevant purposes however are wide ranging including meeting any applicable legal obligations. Any retention period must be met by the organisation to whom the data is entrusted, including processors. If personal data has been obtained on the basis of consent, it must also be deleted if that consent is withdrawn and is not available as a basis for processing. In the UK, the ICO has also often ruled that the right to object is also relevant when considering the need to delete data.
For many organisation’s, the GDPR will require a complete overhaul of its data retention policies and practices. Until now, it was sufficient to include a note in your privacy statement setting out your retention period. Now this must be based on a review of every single piece of personal data to see whether the reasons for their retention still apply. For example, if a person applies for a mortgage and details are held for 6 years, a decision will need to be made about whether longer retention is necessary for legitimate business reasons. These might include holding the information in case of any complaint or subsequent litigation. There are also other obligations on the financial advisor which would necessitate retention for 6 years. Clearly many organisation’s will not be able to implement these changes in a timely fashion given the scale of this issue, and the ICO has already accepted that other enforcement methods may be more suitable in such circumstances. Without that recognition however, it would be very difficult for organisations to fill the gap between now and May.
It is anticipated that the ICO (UK DPA) will issue guidance in due course, given the scale of this compliance exercise.
The ICO are currently in the process of issuing guidance which deals with the application of the ‘special categories’ of personal data to data retention.

How Long to Retain Data

Determining the length of data retention is not a one-size-fits-all process. Generally speaking, the goal is to minimize the retention time while ensuring that you meet applicable obligations and expectations. To date, the GDPR has not explicitly stated how long you should maintain personal data. It is up to you to determine what is appropriate—and permissible under the GDPR’s requirements. Here we discuss key factors that can help you narrow down the retention period.
As you think about your retention period, a number of factors may come into play when deciding how long you should keep records, including: The GDPR does set some retention parameters that you should keep in mind. In Article 5(1)(c), the GDPR states that you must ensure that personal data "is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it was processed." The GDPR also requires you to develop a retention policy that will be applied once the retention period has been met. Such a policy could include practices for deleting or securely destroying documents in a way that safeguards the information within them.

Legal Bases for the Storage of Personal Data

The GDPR provides for six alternative legal bases for processing personal data. One of them is the performance of a contract with the data subject (Article 6(1)(b)). If a contract requires the retention of specific personal data for the duration of the contract (or for longer, as otherwise set forth in the contract), the legal basis for processing that data will be Article 6(1)(b). Depending on the nature of the contract, however, it may also be necessary to rely on an additional legal basis that would apply beyond the duration of the contractual relationship. For example, if a company’s terms and conditions include a privacy notice making the necessary disclosures under the GDPR and obtaining user consent to process the data (such as through an accepted privacy notice), but the company is still required to retain that data for a longer period than the contract is in effect, the company may rely on the legitimate interest legal basis (Article 6(1)(f)).
If relying on legitimate interest for retention of personal data, a company must satisfy the balancing test and data protection impact assessment requirements in the GDPR. In addition, each controller must document the reasons justifying the retention period.
The GDPR provides additional legal bases for personal data retention. If the data subject has effectively consented (Article 9(2)(a)), that consent can justify a longer retention period. Under Article 9(2)(a), the expiration of the data subject’s consent will not affect the right of the controller to retain the data.
In addition, the GDPR exceptions apply to the right of erasure. Article 17(3)(b) of the GDPR states that "[t]he right to erasure…is not applicable where…compliance with that obligation would impair the achievement of the objectives of processing." Under this exception, controllers may continue to retain some or all personal data subject to applicable settlement, litigation, or other legal requirements as the law may permit.
Finally, it should be noted that as a general rule, there is no mandatory data retention period under the GDPR for personal data. While EU member states may establish a mandatory data retention period for particular categories of data, most data protection authorities encourage indefinite retention periods for most data categories only when the controller can demonstrate a legitimate interest for doing so.

Individuals’ Rights

Despite the expressive nature of Article 5(1)(e) in terms of its requirements with respect to data retention, there are numerous exceptions that are applicable to both individuals’ rights and controllers’ obligations. The GDPR offers individuals numerous rights that may impact how controllers fulfill their data retention obligations.
Individuals have an array of rights under the GDPR that could impact a controller’s data retention obligations. Article 15 gives individuals the right to "obtain from the controller confirmation as to whether or not personal data concerning them are being processed , where and for what purpose." This is commonly known as the right of access. The right of access also obligates controllers to give individuals information about how long their personal data are to be retained for. Article 17 provides that an individual has the "right to obtain from the controller the erasure of personal data concerning him or her without undue delay" if one of several grounds is met.
Article 21 establishes that individuals have a right to object to processing activities that are based upon Article 6(1)(e) or (f), namely public interest grounds and legitimate interests grounds respectively. In this case, the controller must cease processing the individual’s personal data at least until there is a legitimate basis for such processing that outweighs the individual’s privacy rights. Individuals also have the right to request the return of their data directly in a structured, commonly used, and machinereadable format. This right is known as the right to data portability (Article 20).

Best Practices for GDPR and Data Retention

The practice of properly managing data retention under GDPR is best facilitated through the adoption and enforcement of a policy that governs the role of the controller in managing the lifecycle of personal data under its control. But a data retention policy is only effective when there are sufficient resources dedicated to its implementation. The policy must include defined processes for (1) proper identification of the organization’s lawful basis for retaining the data; (2) determining what information should be retained based upon the purpose for its processing; (3) establishing and maintaining a data map; (4) limiting data to that which is necessary to achieve the controller’s processing purposes; (5) ensuring the security of stored data, including who and how access to said data is controlled; (6) conducting regular compliance audits (including the requirement for having data processing agreements with all service providers with whom data is shared); (7) developing a process for acting upon security incidents or breaches, and responding to requests for access to an individual’s personal data; and (8) purging and disposing of data no longer required.
Most organizations store personal data electronically, whether in files or databases. Accordingly, the development of a data retention policy should be accompanied with an explanation of how the organization protects its stored data from inadvertent or intentional destruction or unauthorized use. Having some form of audit trail (e.g., system log-in history) and issuance of alerts to controls failures can also assist organizations in reducing the risk of improper destruction or alteration of data. Many data security breach incidents result from the loss of mobile technologies (generally phones or laptops) or online accounts. Organizations should ensure that it uses encryption technologies to protect the confidentiality of personal data in transit and at rest. In addition, if controller information is being stored remotely, it should be stored in GDPR-compliant storage facilities.
It is also important that any organization with a website has an appropriate privacy policy, including a cookie policy. The website policy should provide clear details about how any user-provided information will be handled, the controller’s lawful basis for collecting this information and, in some instances, the controller’s plan for sharing such information with third parties. The GDPR also requires controllers to identify a lawful basis for eating cookies on its websites. If the controller intends to rely upon a legal basis other than consent for cookies, it must provide its visitors with an option for opting out of providing cookies. Like the retention policy, the cookie policy must be enforced.
Finally, it is essential that organizations for whom data retention is critical to their business activities have regular training programs that target all relevant personnel.

Consequences of Non-Compliance

The consequences of violating the GDPR’s data retention requirements range from the theoretical to the real. While most of the theoretical cases revolve around how a regulatory body could sanction or otherwise hold an organization responsible for its lack of compliance, even the theoretical discussions may be unappealing enough to warrant action. The possibilities include fines, litigation, sanctions, damages, injunctions and regulatory orders.
Fines
Each member state is responsible for enforcing GDPR in its own way, but the law requires that member states set up data protection authorities. These authorities are required by Article 51 of the GDPR to be independent and advised by "a body which is independent, in the sense that it does not take directions from anybody." If an authority finds a violation of the GDPR’s data retention requirements they can issue a fine.
Litigation
Article 77 of the GDPR gives individuals who are involved in a controversy over the GDPR’s application to bring a claim with that same data protection authority. Article 82 of the GDPR requires that any individual harmed by a violation of the GDPR receive compensation from the controller or processor.
Sanctions
Another option for a data protection authority investigating a violation could be to issue a warning (Article 58) or an administrative fine (Article 83). The maximum administrative fine for a violation of the GDPR is €20 million or 4% of the worldwide annual revenue of a company whichever is higher.
Injunctions
If a regulatory body investigates an organization for violation of the GDPR’s data retention requirements, and a controller or processor wants to obtain an injunction (e.g. to stop the investigation, prevent potential fines or litigation, or to prevent the release of data that could have catastrophic effects for an organization), the authority’s decisions can be appealed to national courts (Article 78).
Regulatory Orders
Finally, if an authority believes an organization is at risk of violating GDPR, it has the ability to investigate and issue a regulatory order, which can require a controller to "introspectively assess the impact of the processing and document its findings."

Practical Examples and Case Studies

The UK’s Information Commissioner’s Office (ICO) issued a £2.3m fine on Edinburgh-based football club Hearts FC for its use of electronic marketing databases without the supported consent of its customers, and for making marketing calls to former season ticket holders during matches and at anti-social times. It is now obligatory under the GDPR regulations to ensure an email marketing database is clean when the business is responsible for managing the database of its customers, and even in the event of a valid consent, this is only valid if there has been an unambiguous indication from the individual that he wishes to consent.
In a recent case , an online retailer accepted chain emails from their employees asking individuals to provide their consent to sending them marketing messages. When the ICO investigated, they found the retailer could not show a clear audit trail to demonstrate the individuals had provided their consent.
Another case is the news involving Oxfordshire County Council. The ICO has stated that it has data protection concerns because sensitive personal data has been processed without consideration of costs and risks. Organizations must understand their legal basis in processing personal data and must calculate the cost, risks and benefits.