Skip to content

Legal Risks When You Do Not Delete Personal Data in the UK

Table of Contents

Nearly every UK company processes and stores personal data, including living individuals’ names and contact details, each week. Most business owners know of the General Data Protection Regulation (GDPR) that they must comply with its rules. However, whilst most GDPR requirements relate to collecting and using personal data, a few also relate to reviewing and deleting personal information.  This article will explore circumstances in which your company should delete personal data and the legal risks of not doing so.

What is the General Data Protection Regulation?

The GDPR provides UK organisations with important data protection rules.  Its primary legal obligation is for UK businesses to obtain and handle personal information safely and reasonably.

However, many business owners must realise that the GDPR also encourages UK companies to delete information when appropriate.  

In fact, some company owners believe you should only ever delete personal information upon request by the relevant individual.  This is a myth and one which could lead to some unfortunate consequences if followed.

When Should My Company Delete Personal Data?

Your business should consider the deletion of personal data in the following circumstances:

  1. the information is inaccurate or has been replaced by more up-to-date information; 
  2. the information is no longer relevant for its original purpose; or 
  3. upon request by the relevant individual.

We’ll briefly consider these in turn below.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Why Should My Business Delete Inaccurate Personal Data Information?

The GDPR clarifies that personal information must remain relevant concerning its purpose upon collection.  In this way, your business should judge inaccurate or outdated information as irrelevant and worthy of deletion. 

Aside from being a GDPR violation, holding inaccurate data will also place your company at risk of mistakes and errors when dealing with that individual.  For example, imagine your company has two phone numbers for a customer; one needs to be updated and the other is the replacement phone number, but you do not know which is which.  Deleting the old phone number upon its replacement would ensure accuracy going forward.

In the same way, if your company believes that data may be out-of-date, it may be wise to check this with the customer at the next opportunity.  For example, many gyms periodically check addresses and contact details with their gymgoers every few months.

Why Should My Business Delete Irrelevant Information?

The GDPR holds that your company should only store information that remains relevant.  So if, for example, a customer was recorded parking in your car park three years ago, you should delete their registration number from your records.

Why?  Because it is irrelevant to your business and no longer necessary for your dealings with them.

This is similar to keeping home address details for customers who have not ordered a home delivery for over a decade.  If they ever want another home delivery, they will reconfirm their address at that point and every passing year makes it less relevant and more likely inaccurate.

Should My Business Honour Deletion Requests?

The GDPR requires your organisation to delete an individual’s personal data without undue delay upon their request.  The ICO regards the right of data subjects to make a data erasure request as being in the public interest.

However, there is a significant exemption to this principle, which includes certain circumstances where that personal data remains necessary for its original purpose.  So if, for example, your customer has taken out a fixed-term subscription and asks you to delete their direct debit details, you could refuse because you need that information to process their payments.

Naturally, the GDPR is more likely to expect you to delete the information upon request (rather than choosing to do so absent request).  So you should record any decision not to delete personal information in writing and send this reasoning to the relevant individual.

The most common risk to UK businesses is a formal investigation by the Information Commissioner’s Office (ICO).  The ICO is a referee for UK data protection rules and can impose hefty fines of up to £17.5m against organisations for GDPR non-compliance.

The ICO expects businesses to carry out regular data audits to ensure that irrelevant, inaccurate or outdated personal information is deleted.  Naturally, the ICO understands that companies do not wish to delete data with abandon but does expect businesses to avoid sitting on vast amounts of useless information.

Why will the ICO consider a fine for non-data deletion?  One reason is that the ICO believes that data deletion reduces the risk to individuals if an organisation suffers a cyber attack or unauthorised access.  Simply put, a company that regularly deletes data will have less to steal.

Because of this, many UK business owners swear by regular data protection audits, which score information on its purpose, usefulness and accuracy.

Key Takeaways

It can be challenging to figure out whether to delete a piece of personal data or not.  Much will depend on the system and criteria used by your business.  

However, it is important not to avoid the task altogether.  Many business owners recognise that decisions can be a grey area and obtain expert legal advice for peace of mind. 

If you need help ensuring safe personal data deletion, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership.  For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents.  Call us today on 0808 196 8584 or visit our membership page.  

Frequently Asked Questions

Why does the GDPR exist when the UK has left the European Union?

Even though the UK is no longer part of the EU, its laws remain in place. The UK Government does not intend to remove the GDPR.

How can my company safely delete data?

Most data controllers will delete physical information by shredding the documents or using a secure disposal service and deleting electronic information through specialist software.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Thomas Sutherland

Thomas Sutherland

Read all articles by Thomas

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards