It is not uncommon for organisations to still hold data from the turn of the century. If questioned on infinite data retention, a business may shrug and say, “who knows when it will be needed?”. This attitude can lead to untold dangers lurking on company servers.
The importance of securely disposing of data has recently been highlighted by EyeMed Vision Care after the health insurance company was fined $4.5 million for failures leading to the exposure of the sensitive personal health data of hundreds of thousands of consumers, including children.
Thoughtless data retention and disposal was one contributing factor to the fine: over six years of consumer data was accessible as a result of the phishing attack. The fallout will not end there as consumer trust and the business’s wider reputation will be damaged. The work to implement a cybersecurity programme with heightened scrutiny will also be costly.
Despite being a US fine, this is a global issue. Like lawfulness and transparency, storage limitation is a key principle of GDPR but it rarely seems to get the same level of focus. Under GDPR, personal data should not be kept any longer than necessary for the purposes for which it was collected.
Organisations must ensure that the period for which the personal data is stored is kept to a strict minimum, with clear time limits for erasure or for a periodic review in order to ensure that the personal data is not kept for longer than necessary.
Getting data retention wrong can lead to substantial fines and remediation costs as exampled by EyeMed Vision Care. But even without a dramatic phishing attack, a seemingly simple data subject access request can become difficult if files relating to the individual go back years with no sense as to why the data is still retained. There are also the implications of handing over the historic data with the knowledge that the company’s failure to manage it is known to data subjects and may attract the attention of regulators.
A robust data retention policy, which is embedded in the culture of an organisation will greatly reduce the risk of these issues occurring and will therefore reduce compliance costs when catastrophe strikes. It is best to eradicate data breaches entirely, but if one is to occur it is better a small phish than a hidden leviathan. So, the question remains: if a phishing attack hits your company, will it hook a whale?
Disclaimer
This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2025.