Well, that depends on what it is. Article 5 (1) (e) of the GDPR requires organisations to only hold personal information for as long as necessary. But what does that mean and how do you ensure that this is done?
As mentioned in the previous blogs, organisations need to comply with the accountability principle in GDPR. In other words, prove that they have a process and prove that they comply with it. This includes how long personal information is kept.
In some cases, the length of time that personal data must be retained for is set out in legislation. For example, the retention period for wages and salaries are set out under the Taxes Management Act 1970 and the retention period for records on accidents in the workplace is set out in the RIDDOR 1995.
However, some areas are not so clear, and it is down to the organisation to consider what is reasonable. For example, if a job applicant applies for a role within your organisation and is unsuccessful, then would it be reasonable for you to still have their personal information some three years later, when there has been no further contact with the individual? I would suggest not. This should all be set out in the Retention Policy and Schedule of Retention.
Always remember, that any personal information you hold can be requested by the individual under a subject access request (with exemptions) and it will be you that has to justify your reason for retaining the information, if it is no longer relevant and there is no legal basis for keeping it.
What can you do?
Introduce a Retention Policy and Schedule and properly police it to ensure that it is complied with.
Don’t forget emails! They may hold loads of personal information and you will have to justify why they have been retained as well.