Deleting data

From a commercial perspective, it may not be sensible for a business to hold on to all the data it collects. Data is time-sensitive and its value can change by the day or by the hour, particularly in fast-paced markets. Holding on to data which is no longer relevant can be counterproductive and there are obvious risks attached to making business decisions based on low-quality, outdated data including poor decision making which negatively affects the business.

There are also significant costs related to storing data. Retaining old data whilst collecting new data is expensive, particularly given the significant increase in the costs of data storage and data security. Keeping unnecessary data can ultimately hit your bottom line.

Regulation

Many businesses have regulatory obligations alongside commercial concerns which can affect how long they store data. For example, financial services businesses are obliged to only retain accurate information regarding their clients. Some regulations and laws also require specific data to be kept for a defined period.

More generally, data protection laws place restrictions on how long personal data, which identifies or relates to living individuals, can be retained. In the UK, for example, personal data should not be kept for longer than necessary for the purposes in which it was collected. Each business has to decide on appropriate retention periods for the personal data it collects, and has to be prepared to justify them if challenged.

Failures to comply with data protection law can result in enforcement action, including significant fines.

Holding personal data for long periods also gives rise to other data protection duties such as:

• actively managing consents;
• responding to data subject access requests; and
• dealing with personal data breaches.

Such tasks are time-consuming and can create unnecessary pressures on a business, especially when a failure to comply would result in fines or enforcement action from regulators.

Four key steps for effective data management

• Identify what data you hold and the purpose of the data.
• Establish at what point the data will no longer be required for that purpose (taking into account any legal or regulatory requirements to hold specific data for certain periods).
• Put in place data retention policies and ensure they are regularly reviewed.
• Where possible, automate the deletion of data – in accordance with determined retention periods – to streamline your data management processes.