How long are we allowed to keep past client information under GDPR?
You may need to hold past client information for a number of reasons for example to perform a contractual obligation, to be able to defend future legal claims or simply because you are required to under other legislative requirements.
Under the General Data Protection Regulation (GDPR), you can keep the personal data you hold on your clients for as long as you genuinely need it. The Information Commissioner’s Office is clear that organisations cannot store data ‘just in case’ they need it at a future point so the ‘genuine need’ must be there and you must be able to communicate that need to the client through clear text in the paper or web forms that you ask them to complete, and in your privacy notice.
The question of how long you can keep past client data cannot be considered in isolation. Wider considerations will include:
How much information do you really need to keep?
Under what lawful basis do you process that data?
For what timeframes do you genuinely need to keep the data?
How will you ensure that data is securely destroyed when the timeframe expires?
Have you informed clients about the data you are holding?
Do you have the policies and procedures in place to enable you to respond to individuals rights for example to access that data or ask you to correct it?
If you have a data breach do you hold contact details to be able to contact the individual to tell them their data has been lost, stolen or destroyed?
Are you able to confidently store that information securely?
Remember that when you store someone’s personal data, you are responsible at all times for keeping it confidential and accurate, and you need to always be able to access it quickly for them when required. You must also destroy the information as soon as your storage period has expired. You will need to think about these requirements when you set up your record system.
Protect your business - become and remain GDPR compliant with Astrid