How long is your company supposed to retain the personal data of its customers?
Under the GDPR, companies found retaining data beyond the stipulated period can face fines of up to 4% of their annual global turnover or €20 million, whichever is higher.
And, under the DPDPA regime, the fines range up to 200 crore rupees.
Here are some recent cases where fines of up to a million pounds were imposed:
This could mean a financial blow that can impact a company’s bottom line severely or can even lead to small and medium companies shutting down!
As a privacy professional, it is your job to ensure that your company(ies) are not running the risk of being shut down or facing impossible-to-pay fines due to such noncompliance!
So, today, let’s understand what the data retention regulations are under the GDPR and DPDPA.
According to the General Data Protection Regulation (Article 5) and the Digital Personal Data Protection Act (Section 8), data retention isn’t a free-for-all.
Companies need a justified purpose for holding onto a person’s information.
Let’s look at some of the reasons for which your data could be collected and stored, such as:
- Legal Obligations—Some industries must keep data to comply with laws. For example, banks save transaction information to prevent money laundering.
- Contractual Necessities– If you buy something online, the store needs to keep some details to ensure they can send you your product.
- Consent– Have you ever ticked a box agreeing to receive newsletters? That’s your consent for them to use your data for that purpose.
- Legitimate Interest—Companies can use data in necessary ways to improve their business, as long as it doesn’t unfairly impact your rights. For example, they can analyze customer behaviour to improve products.
- Vital Interests- This is rare but important. It’s about protecting life, maybe in a medical emergency where your info could save you
- Public Interest– Sometimes data is used for the greater good such as tracking the spread of infectious diseases, managing healthcare resources, or preparing for medical emergencies. especially by government bodies.
Take a bank, for example.
Banks hold onto personal data like customer address, birth date, and even their mother’s maiden name to ensure security. This information is crucial for verifying customer identity whenever they need to interact with the bank.
But what happens when one closes their bank account?
Well, even then, they might need to keep the data a little longer for legal or operational reasons.
However, here’s the catch: the bank can’t keep the data indefinitely.
Data retention must be tied to specific, initial purposes, and once those purposes no longer apply, the data should be disposed of, ensuring respect for privacy and adherence to legal standards.
But there are exceptions.
GDPR and the Digital Personal Data Protection Act mention conditions under which data can be retained indefinitely for purposes like:
- Archiving in the public interest or
- For scientific, historical, or statistical research.
Yet, even in such cases, the data must be protected with appropriate safeguards, such as pseudonymization.
This process involves replacing personal identifiers with artificial identifiers to protect individuals’ privacy.
Importantly, if data is kept indefinitely for these specific purposes, it cannot later be used for unrelated purposes like marketing.
While sharing personal data online is nearly unavoidable, it’s crucial for both privacy professionals and everyday internet users to understand how and why companies use and retain this information.