Under the GDPR, the Danish supervisory authority, the Data Protection Agency (DPA), has issued a DKK 1.5m (£180,000) fine in relation to a furniture company’s failure to delete data held on around 385,000 customers.
The DPA carried out a visit to the furniture company, IDDesign, in autumn 2018 and asked whether the company had retention policies in place that set deadlines for deletion of customer information (which included names, addresses, telephone numbers, email addresses and purchase history). As the company still relied on an old technology system in some of its stores for storing information, it transpired that none of the personal data in the older system had ever been deleted. One of the principles of the GDPR is that personal data should be held only for as long as necessary in relation to the purposes for which it is being processed. IDDesign should have had a clear policy in place to address the legal bases for which it held the personal data and the periods for which it would be justifiably retained. The Danish DPA therefore found IDDesign to be in breach of the GDPR, by having processed customer data for longer than necessary.
The ICO, the UK’s supervisory authority, has yet to levy any fines under the new data protection regime, and although this fine does not get anywhere close to the £17 million maximum fine European supervisory authorities can impose, it is a stark reminder that non-compliance with the new data protection legislation can be pretty costly.
Whilst this decision has no direct influence on UK data controllers, it may indicate the likely approach to those who have not reviewed how long they are holding data for. If there is no legitimate basis for retaining data, if should be deleted. For more advice on data retention policies or other GDPR compliance issues, please get in touch with one of our information law experts.