Retention of Data

“How long can we keep our data?”

Retaining data has always been a fragmented area of information security law. This article explores what personal data is, what constitutes processing data and for how long you should retain data, as it appears to be unclear within DPA and GDPR law!

First, a definition of what constitutes personal data; “Personal Data means any information relating to an identified or identifiable natural person (data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.”

If your organisation handles information, in any form, that can be used to identify an individual; your organisation is holding personal data.

So what defines processing data? “Processing” data; is anything you do with personal data, even if your organisation is “storing”, “erasing” or “destroying” data, then you are “processing” data.

How has the data retention landscape changed from DPA to GDPR?

It is mainly unchanged, but you have to explicitly retain information based on the usage specified when consent was given.

Organisations are advised to carry out a Data Protection Impact Assessment, which is used to define the retention period for data and both the usefulness and validity of your data.  Ultimately the data subject needs to know that you are keeping the data, why you are keeping the data, what your intention is for using this data and they will need to consent to this reasoning There are several regulations, which, depending on the type of data you are holding, define how long you must legally keep the data.


The term we mentioned, to which you probably wondered, “What’s a Data Protection Impact Assessment?”, is covered in our training courses.  If you are interested, please contact us!

So we will end where we started, “How long can we keep our data?” The GDPR does not specify an exact amount of time, but we have certainly ascertained that data cannot be kept indefinitely. Therefore a common-sense approach is required here.


Our training courses can help you navigate through these retention issues and guide you through the reasoning of why, how, what for and when retention could breach the regulation.