Legal Risks When You Do Not Delete Personal Data in the UK

Nearly every UK company processes and stores personal data, including living individuals’ names and contact details, each week. Most business owners know of the General Data Protection Regulation (GDPR) that they must comply with its rules. However, whilst most GDPR requirements relate to collecting and using personal data, a few also relate to reviewing and deleting personal information. This article will explore circumstances in which your company should delete personal data. 

What is the General Data Protection Regulation?

The GDPR provides UK organisations with important data protection rules. Its primary legal obligation is for UK businesses to obtain and handle personal information safely and reasonably.

However, many business owners must realise that the GDPR also encourages UK companies to delete information when appropriate.  

In fact, some company owners believe you should only ever delete personal information upon request by the relevant individual. This is a myth and one which could lead to some unfortunate consequences if followed.

When Should My Company Delete Personal Data?

Your business should consider the deletion of personal data in the following circumstances:

1. the information is inaccurate or has been replaced by more up-to-date information; 
2. the information is no longer relevant for its original purpose; or 
3. upon request by the relevant individual.

We’ll briefly consider these in turn below.

Why Should My Business Delete Inaccurate Personal Data Information?

The GDPR clarifies that personal information must remain relevant concerning its purpose upon collection. In this way, your business should judge inaccurate or outdated information as irrelevant and worthy of deletion. 

Aside from being a GDPR violation, holding inaccurate data will also place your company at risk of mistakes and errors when dealing with that individual. For example, imagine your company has two phone numbers for a customer. One needs to be updated and the other is the replacement phone number, but you do not know which is which.  Deleting the old phone number upon its replacement would ensure accuracy going forward.

In the same way, if your company believes that data may be out-of-date, it may be wise to check this with the customer at the next opportunity. For example, many gyms periodically check addresses and contact details with their gymgoers every few months.

Why Should My Business Delete Irrelevant Information?

The GDPR holds that your company should only store information that remains relevant. So if, for example, a customer was recorded parking in your car park three years ago, you should delete their registration number from your records.

Why? Because it is irrelevant to your business and no longer necessary for your dealings with them.

This is similar to keeping home address details for customers who have not ordered a home delivery for over a decade. If they ever want another home delivery, they will reconfirm their address at that point. Every passing year makes it less relevant and more likely to be inaccurate.

Should My Business Honour Deletion Requests?

The GDPR requires your organisation to delete an individual’s personal data without undue delay upon their request. The ICO regards the right of data subjects to make a data erasure request as being in the public interest.

However, there is a significant exemption to this principle, which includes certain circumstances where that personal data remains necessary for its original purpose. So if, for example, your customer has taken out a fixed-term subscription and asks you to delete their direct debit details, you could refuse because you need that information to process their payments.

Naturally, the GDPR is more likely to expect you to delete the information upon request (rather than choosing to do so absent request). So you should record any decision not to delete personal information in writing and send this reasoning to the relevant individual.

Buying a Business: Guide to Negotiating Terms

LegalVision’s Buying a Business: Guide to Negotiating Terms allows you to protect yourself by understanding which key terms to negotiate when buying a business.

Download Now

What Are the Main Legal Risks of Avoiding Personal Data Deletion?

The most common risk to UK businesses is a formal investigation by the Information Commissioner’s Office (ICO). The ICO is a referee for UK data protection rules and can impose hefty fines of up to £17.5m against organisations for GDPR non-compliance.

The ICO expects businesses to carry out regular data audits to ensure that irrelevant, inaccurate or outdated personal information is deleted. Naturally, the ICO understands that companies do not wish to delete data with abandon. However, it does expect businesses to avoid sitting on vast amounts of useless information.

Why will the ICO consider a fine for non-data deletion? One reason is that the ICO believes that data deletion reduces the risk to individuals if an organisation suffers a cyber attack or unauthorised access. Simply put, a company that regularly deletes data will have less to steal.

Because of this, many UK business owners swear by regular data protection audits, which score information on its purpose, usefulness and accuracy.

Key Takeaways

It can be challenging to figure out whether to delete a piece of personal data or not. Much will depend on the system and criteria used by your business.  

However, it is important not to avoid the task altogether. Many business owners recognise that decisions can be a grey area and obtain expert legal advice for peace of mind. 

If you need help ensuring safe personal data deletion, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions