Q: After a recent acquisition my client realised that the target holds a large cache of old customer data and is unsure if they should dispose of it or how. What steps should they take to ensure they comply with GDPR as soon as possible?
A: Rather unhelpfully, the General Data Protection Regulation (GDPR) offers little direction as to how long businesses should hold onto customer data. Instead, the GDPR sets out a storage limitation principle, which states that '…personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.'
If the cache of customer data your client inherited does not constitute personal data, then your client will not face any GDPR-related penalties for its continued retention.
"Under the GDPR, any data that constitutes personal data will be subject to its storage limitation principle"
As per the storage limitation principle, personal data should only be kept for as long as it is needed. If the inherited personal data continues to serve a purpose for the company, then your client will have a right to retain it. Whether personal data serves a legitimate purpose for a business needs to be determined on a case-by-case basis.
It could, for example, be considered legitimate to keep personal data relating to previous customers for marketing purposes.
In addition, if the inherited customer data relates to any warranties provided by the seller in the share or asset purchase agreement documenting the transaction, your client would have a legitimate reason to retain it for the limitation period during which warranty claims can be made.
There are also certain exclusions under the storage limitation principle which mean that your client can hold onto personal data for as long as they wish if it is used for statistical, scientific or historical research or public interest archiving purposes.
Your client may face fines from the Information Commissioner’s Office (ICO) or be ordered to rectify a storage limitation breach if they have inherited personal data the company has no purpose in keeping and does nothing about it. Instead, your client should either anonymise or dispose of the personal data.
The ICO may even issue penalties to your client for breaches which occurred under the seller’s ownership of the target company. If your client faces such penalties, then it may be possible for them to recoup those losses.
Ideally, the seller would have provided data protection warranties to your client in the share or asset purchase agreement documenting the acquisition, stating that the target company had complied with all data protection laws including the storage principle in the period prior to completion.
The contravention of such provisions by the seller may allow your client to bring a breach of warranty claim to recoup any losses incurred. As such, all buyers should look to include comprehensive data protection warranties in agreements which govern acquisitions.
Alternatively, where keeping the data serves a clear purpose, your client should seek to establish a retention policy if one is not already in place. Implementing policies can help businesses establish good working practices around retention periods for different data categories.
Taking into consideration the purposes for which data will be processed, as well as any regulatory or legal requirements and industry standards, can help businesses determine appropriate retention periods.
Your client should also regularly review any personal data held by the company in order to assess what action should be taken to remain compliant.
By instilling up-to-date retention policies and conducting regular data reviews, your client will not only be protecting their customers, but also themselves from ICO enforcement action.