Retention period
The retention period is the defined length of time for which a data controller keeps personal data before erasing or anonymising it. The DPA 2020 requires that personal data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it is processed. Controllers must document and justify their retention periods and disclose them in their privacy notice.
DPA reference
Data Protection Act 2020
Related terms in Obligations
Anti-money laundering
Legal obligations requiring firms to detect and report financial crime.
Conflict of interest
A situation where a professional's duty to one client may be compromised by duties to another party.
Data breach notification
The legal requirement to report personal data breaches to the OIC within 72 hours.
Data minimisation
The principle that personal data collected should be limited to what is necessary for the stated purpose.