Organisations must ensure personal data is securely disposed of when no longer needed. This will reduce the risk that it will become inaccurate, out of date or irrelevant.
This checklist from the Information Commissioner’s Office (ICO) bout personal data storage will make sure you comply with GDPR:
- You must not keep personal data for longer than you need it.
- You need to think about – and be able to justify – how long you keep personal data. This will depend on your purposes for holding the data.
- You need a policy setting standard retention periods wherever possible, to comply with documentation requirements.
- You should also periodically review the data you hold, and erase or anonymise it when you no longer need it.
- You must carefully consider any challenges to your retention of data. Individuals have a right to erasure if you no longer need the data.
Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. So, lawfulness, fairness and transparency are key principles to bear in mind.
The principle of lawfulness pretty much speaks for itself. Processing of personal data must happen in a lawful way and thus have a legal basis which makes the processing legitimate. Lawfulness relates indeed to the legal bases for lawful processing we covered but also, in this scope, to the actual processing.