What is the GDPR Storage Limitation Principle?

Defined in Article 5(1)(e) of the General Data Protection Regulation (GDPR), accuracy is the fifth principle related to the processing of personal data.

Storage Limitation Summary

  • Organizations should not keep personal data for longer than needed
  • Storage limitation is a form of data standardization, similar to data minimization and accuracy principles
  • Organizations should perform periodic reviews to identify, and address, data stored beyond intended use
  • Storing personal data beyond initially stated purpose is allowed if keeping for public interest archiving, scientific or historical research, or statistical purposes
  • If storing personal data beyond initial purpose, for compatible purposes or other, measures, such as anonymization or pseudonymization, should be applied to safeguard data subject rights

What are the primary differences between the GDPR and the 1998 Data Protection Act (DPA)?

The GDPR accuracy principle is similar to that the 1998 Data Protection Act.

Business Considerations for Organizations to Understand

What is a retention policy?

Retention policies, also referred to as retention schedules, list the types of record or information held by an organization, what organizations will use them for, and how long the organization intends on keeping it. Retention policies help to establish and document standard retention periods for different categories of personal data.

A retention schedule may form part of a broader ‘information asset register’ (IAR), or your general processing documentation.

Why employ a retention policy?

Data retention is not merely a matter for IT and administration, but a business consideration with potentially significant financial impact if you don’t get it right.

  • Minimizing data retention and having clear procedures in place to determine how and when to dispose of personal data is, therefore, are crucial to complying with the GDPR. Not only that, but a well-managed data retention plan can help businesses avoid information overload and high storage costs resulting from retention of unnecessary (and often redundant) data.
  • Retention policies provide a brief overview of data subjects’ key rights under the GDPR, as well as a summarized overview of various technical and organizational data protection measures an organization has in use

How do you handle personal data that is no longer needed?

When personal data exceeds its retention period, organizations can either erase, anonymize, or pseudonymize the data.

First, a clear understanding must be made to differentiate between permanently deleting data (erasing) and taking it offline. Personal data stored offline reduces its availability, while also reducing its risk for exposure to breach threats. However, personal data should only be stored offline, rather than deleting or masking, if justification is available for not only keeping the data but keeping it within its original format, too. Offline data must also comply with requests for the data subject rights.

Alternatively, data masking techniques can be employed to reduce the risk to breach exposure, while still allowing business owners to utilize elements of the data for analysis. Data masking alters in a way that is no longer permits identification of the data subject. The two most common forms of data masking are anonymization and pseudonymization.

Anonymization is the more extreme masking technique of the two, rendering the data such so any association to the original state is impossible. However, pseudonymization (i.e., key-coded) will usually still permit identification. Pseudonymization can be a useful tool for compliance with other principles such as data minimization and security, and yet the storage limitation principle still applies.