Smiling woman holding eyeglasses and clipboard in a contemporary office.

What “No Longer Necessary” Really Means Under GDPR

ByPrivacyiQ

The UK GDPR says don’t keep data longer than needed. But what does that actually mean in practice?

UK GDPR Article 5 says personal data must be “kept no longer than is necessary.” But who defines necessary?

Interpretation depends on:

  • The original purpose for collection
  • Applicable legal retention requirements
  • The rights of the individual (e.g. erasure)

There’s no universal timeline — only justifiable ones. If your retention lacks clear purpose or legal basis, it’s excessive.

Document your reasoning. If you can’t defend your retention period, regulators won’t accept it either.

Similar Posts

Side view of contemplating female assistant in casual style standing near shelves and choosing file with documents
|

How Long Is Too Long? Setting Retention Periods for HR Records

ByPrivacyiQ

Unsure how long to keep HR records under UK GDPR? Here’s a breakdown for hiring managers and compliance teams. HR records often sit in systems long after employees leave — exposing firms to unnecessary GDPR risk. UK GDPR requires that personal data be retained only as long as necessary for the purpose it was collected….

A close-up photo of a smartphone displaying popular apps like Google and Mail.
|

Is Your Email Archive a GDPR Liability? Probably.

ByPrivacyiQ

Email systems are often the biggest data retention risk. Here’s what compliance and IT need to fix. Email is often overlooked in data retention strategies — yet it’s where the most unstructured personal data lives. Archived emails may contain salary details, medical information, and candidate records — often held for years without review. UK GDPR…

Diverse professionals engaged in strategic discussion in a law office setting.
| | |

Who Owns Data Retention in Your Organisation?

ByPrivacyiQ

Is it IT? Legal? HR? Retention needs ownership — or it becomes a shared blind spot. Here’s how to assign responsibility. Without a clear owner, data retention becomes everyone’s responsibility — and no one’s priority. Ownership models that work: Either model can work — but only if: Assigning ownership turns policy into practice. Without it,…

Bushfire in Australia
| |

Retention and Subject Access Requests: What You Don’t Keep Can’t Hurt You

ByPrivacyiQ

Subject access requests are easier (and cheaper) if you delete what you no longer need. Here’s why that’s strategic. Subject access requests (SARs) are rising — and they are expensive. But here’s the secret: the less data you hold, the less you have to search, redact, and disclose. Retention policies don’t just reduce legal risk….

Red block with 'DELETE' text on a black background, showcasing minimalism.
|

Data Minimisation and Retention Go Hand in Hand

ByPrivacyiQ

Minimising data doesn’t stop at collection — it includes timely deletion. Here’s how to tie the two together. Most teams know the data minimisation principle — collect only what you need. But it doesn’t stop there. Minimisation + Retention = Risk Reduction Retaining unnecessary data negates the benefit of collecting less in the first place….

Close-up of a professional video camera setup indoors, capturing high-quality footage.
|

Why Retaining Candidate Data Could Land You in Hot Water

ByPrivacyiQ

Storing CVs for years after rejection? It might be a data protection breach. Here’s what you need to know. It’s common for recruitment teams to keep CVs “just in case” — but under UK GDPR, this can be unlawful. The problem: If a candidate wasn’t hired, their data must only be retained if you have…