Skip to content

Should My Company Delete Personal Information After a Lengthy Period in the UK?

Table of Contents

Your UK business no doubt handles personal information daily. This personal data will belong to staff, customers, suppliers or third parties (all known as data subjects). Regardless of the individual’s identity, the General Data Protection Regulation (GDPR) requires your organisation to handle personal data safely and proportionately. This article will explore situations where your business may be expected to delete personal data.

What is the General Data Protection Regulation?

The GDPR is an essential piece of UK law and sets out the main data protection rules for UK organisations. The primary purpose of the GDPR is to ensure UK businesses obtain, store and responsibly handle personal information.

Unbeknownst to some business owners, responsible handling of personal information can include its deletion. This can surprise some businesses as, for many, secure data handling focuses solely on safe storage. However, as we will see below, it may be harmful not to delete personal information in certain circumstances.

Why Should I Be Aware of the ICO?

Businesses should prioritise GDPR compliance due to the enforcement powers of the Information Commissioner’s Office (ICO).

The ICO seeks to help UK organisations by providing substantial online guidance on GDPR compliance. However, if your UK business fails to follow the ICO guidance on data protection law, the ICO can fine it up to £17.5m.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

When is it Safe to Delete Personal Information?

The starting point for UK businesses is whether the relevant personal data remains ‘necessary in relation to the purpose for which it was collected or processed’. This is particularly relevant when considering deleting personal information absent a specific request from the relevant individual.

So, if the information is out-of-date or inaccurate, you should delete or replace it. Naturally, you may not always know if your information is incorrect. However, if your business suspects that personal data is outdated, it can follow any of the following steps:

  • reach out to the individual to check whether personal data remains accurate; and
  • if the individual confirms it is inaccurate, ask them to provide relevant replacement information.

The other question is whether the information remains ‘relevant’ or not. This is because irrelevant personal data will be deemed unnecessary concerning its initial purpose under GDPR rules. As such, it is your responsibility to delete this information. 

For example, if your business sent a card to a former employee five years ago during a period in which they were trying to move house, that information is now irrelevant. This is because: 

  • it may no longer be their address; and 
  • they are no longer an employee.

Deleting Out-of-Date or Irrelevant Personal Information

The easiest way to ensure you remove unnecessary data is to perform regular data audits. Ideally, you should complete this at least annually.

A data protection audit usually includes reviewing personal information regarding its relevance and accuracy. Some audit methods involve setting a score for each piece of information. Following this, you delete any information scoring below a certain threshold.

The essential rule is to ensure that every decision to delete information is made by a human rather than being automatically done by a computer system (which, in some circumstances, may be unlawful). Accordingly, your business may use a computer AI program to rate personal information for relevance and then have an individual on potential deletion using those scores.

Notably, the GDPR is keen to ensure that humans, who can account for mitigating circumstances, make important decisions regarding data management, not machines.

What Should My Company Do When Individuals Make Deletion Requests?

The GDPR allows individuals to formally request data deletion. This is also known as a ‘request for erasure’. Your business is legally obligated to consider a deletion request and take reasonable steps to consider its contents.

However, in deciding whether to delete the information, your business must also consider the GDPR rule regarding whether the information remains ‘necessary in relation to the purpose for which it was collected or processed’. In this way, there is no absolute right for automatic deletion. Instead, it depends on the relevant circumstances.

Suppose the request comes from an ongoing customer who receives regular postal deliveries (and will continue to do so under a continuous subscription). In that case, any request for data deletion will not include their postal address and contact details. However, it can consist of records as to previous postal addresses or telephone numbers or email addresses not used in recent years.

Naturally, more weight is given to a request for deletion, so a company should send the written reasons for any decision to avoid deleting the individual’s data without delay. Your company can ask for additional information if you need clarification on what the individual wants to achieve with their data deletion request.

Key Takeaways

Deleting personal information is an important topic, given that it can include all kinds of data from a person’s name, contact details, health condition or employment history. Deciding whether to delete or retain personal data can be a grey area, and because of this, many business owners obtain expert legal advice when making these decisions. Naturally, it is crucial to ensure a lawful basis for any deletion and be aware of the specific circumstances in which you can avoid deletion.

If you need help ensuring the safe deletion of personal information, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Why would an individual make a data erasure request?

The usual reasons for wishing to delete personal information are concerns about the organisation’s security or a personal decision not to use that business again. However, technically, the reason for the request is likely to have little relevance in the eyes of the ICO.

Will Brexit result in the scrapping of the GDPR?  

The Brexit process will not necessarily involve all EU-derived laws being scrapped. In fact, the UK Government has confirmed that it has no plans to drop the GDPR.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards