Table of Contents
Every UK business handles personal data belonging to customers, staff and third parties. The General Data Protection Regulation (GDPR) outlines the necessary data protection requirements for processing and storing personal information. This article will detail three circumstances in which your UK business can safely delete personal information. Doing so ensures your organisation avoids an investigation by the Information Commissioner’s Office (ICO) for a potential breach of the GDPR.
What is the GDPR?
The UK General Data Protection Regulation (GDPR) sets out vital data protection rules for UK organisations. There is a genuine threat of substantial fines from the ICO upon any GDPR breach. This is one of the main factors in UK business owners seeking to comply with GDPR legal obligations.
The GDPR focuses on safely handling, processing and storing personal data.
The GDPR principles make two points clear:
- personal information should remain accurate; and
- businesses must take reasonable steps to delete it when it is no longer relevant.
However, deleting information too early can cause issues with safely carrying out your business. For example, suppose you deleted a customer’s home address too early and needed to send them a replacement item. This situation could also constitute a GDPR breach in the ICO’s eyes.
Who are the ICO?
The Information Commissioner’s Office (ICO) is an independent body formed by the UK Government. Most UK companies respect the ICO and aim to comply with its online GDPR guidance due to its ability to impose financial penalties of up to £17.5m on UK businesses.
The ICO is happy with businesses that delete personal information in line with GDPR principles but may regard instances of early data deletion as a GDPR breach. So, it is worth ensuring that personal data is deleted through a sensible system (such as a regular data audit) to avoid any risk of ICO fines for unlawful data deletion.
Let us explore three circumstances in which your UK business can safely delete personal information.
Continue reading this article below the formCall 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
1. Out-of-Date or Inaccuracies
The GDPR clarifies that businesses should ensure all personal data relating to individuals is kept up-to-date. For example, double-check address details, contact information and credit card details from time to time.
Your business will be able to delete personal data in any of the following scenarios:
- the individual is now deceased;
- their contact details no longer work (for example, calls to their stated telephone number go through to a different person); or
- you know the individual must have moved house or changed their contact details (but do not know any updated information).
2. Irrelevance
The GDPR only permits UK organisations to store personal information when necessary and relevant. For example, if your business supplies goods to another company each week, it is acceptable to store the organisation’s name, postal address, telephone number and email address. However, requesting the Director’s national insurance number would be irrelevant and unnecessary.
However, suppose your business stops delivering to the company and has not done so for five years. In that case, it should delete their contact details from your system as these are now irrelevant and, potentially, out-of-date.
3. Individual Deletion Requests
The GDPR allows an individual to ask your business to delete their personal information if specific grounds apply. This is known as an ‘erasure request’ based on the ‘right to erasure’. The most common ground is where the individual’s personal information is no longer necessary concerning the purpose for which it was collected or processed.
However, it is worth noting the phrase ‘no longer necessary’. If the individual wishes to keep doing business with you. Accordingly, you must explain this to them. Many businesses have no issue with an individual asking for the deletion of data in this way (once they have verified their identity) because every person has this right under the GDPR.
Key Takeaways
The starting point is that the GDPR allows UK businesses to delete personal data in certain circumstances. However, many business owners obtain legal advice before deletion, given the value of customer information and the adverse customer reaction to personal information being ‘lost’ or ‘deleted’ without permission.
If you need help ensuring the safe deletion of personal information, our experienced Data, Privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
Because the GDPR recognises the importance of personal information not being lost or deleted whilst still relevant, for example, it could cause the data subject enormous harm to have their medical records deleted without their prior consent.
This is very important because there is a chance that a malicious actor is trying to trick your business into deleting an individual’s personal data. If this causes financial harm to the individual, you could face legal claims from them. Because of this, the ICO would ensure your organisation obtains additional information that makes you confident that the individual is genuine.
We appreciate your feedback – your submission has been successfully received.