How long are we allowed to keep past client information under GDPR?
You may need to hold past client information for a number of reasons for example to perform a contractual obligation, to be able to defend future legal claims or simply because you are required to under other legislative requirements.
Under the General Data Protection Regulation (GDPR), you can keep the personal data you hold on your clients for as long as you genuinely need it. The Information Commissioner’s Office is clear that organisations cannot store data ‘just in case’ they need it at a future point so the ‘genuine need’ must be there and you must be able to communicate that need to the client through clear text in the paper or web forms that you ask them to complete, and in your privacy notice.
The question of how long you can keep past client data cannot be considered in isolation. Wider considerations will include:
How much information do you really need to keep?
Under what lawful basis do you process that data?
For what timeframes do you genuinely need to keep the data?
How will you ensure that data is securely destroyed when the timeframe expires?
Have you informed clients about the data you are holding?
Do you have the policies and procedures in place to enable you to respond to individuals rights for example to access that data or ask you to correct it?
If you have a data breach do you hold contact details to be able to contact the individual to tell them their data has been lost, stolen or destroyed?
Are you able to confidently store that information securely?
Remember that when you store someone’s personal data, you are responsible at all times for keeping it confidential and accurate, and you need to always be able to access it quickly for them when required. You must also destroy the information as soon as your storage period has expired. You will need to think about these requirements when you set up your record system.
Protect your business - become and remain GDPR compliant with Astrid
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.