Login

The Risks of Keeping Data Too Long

In our data-driven world, information is one of our most valuable assets. At the GSMA, data helps us understand the global mobile ecosystem, support our members, engage employees, manage event registrations, and deliver impactful marketing and industry projects.

In our data-driven world, information is one of our most valuable assets. But with great data comes great responsibility, and one of the most common risks we face is simply keeping data for too long. 

It’s easy to think, “Let’s hold onto this; it might be useful one day.” That’s an understandable instinct, especially in an organisation where insight and analysis drive our work. However, every extra day we retain personal or sensitive data, whether about employees, members, event participants, or marketing contacts, beyond its original purpose increases both our risk and our accountability. 

The Principle of Storage Limitation  

Many privacy frameworks around the world include a rule known as the principle of storage limitation. For example, under the UK and EU General Data Protection Regulation (GDPR), organisations must ensure that personal data is not kept for longer than necessary for the purposes for which it was originally collected. 

In simple terms, it means: 

“We should only keep personal data for as long as it’s needed for the purpose it was collected.” 

Once that purpose ends, the data should be deleted, anonymised, or securely archived (if required for legal or regulatory reasons). 

This idea is reflected not only in the EU but also in global laws: 

  • The UK GDPR and Data Protection Act 2018 mirror the EU’s approach. 

  • The California Privacy Rights Act (CPRA) requires organisations to specify retention periods and justify prolonged storage. 

  • The Brazilian LGPD, Singapore PDPA, and South Africa’s POPIA all require that personal data be kept only as long as necessary for its lawful purpose. 

  • China’s Personal Information Protection Law (PIPL) similarly mandates that data controllers “retain personal information for the shortest time necessary to achieve the purpose of processing.” 

  • Canada’s PIPEDA (Principle 5 - Limiting Use, Disclosure, and Retention) directs organisations to keep personal information only as long as necessary for fulfilment of identified purposes. 

No matter where we operate, the message is consistent: “if the purpose has expired, the data should too.”

Why Holding on to Personal Data Creates Risk 

  1. Security Vulnerability 
    The longer we hold onto data, the higher the chance it could be exposed through cyber incidents, human error, or system misconfiguration. Even archived datasets can be targeted. 

  2. Regulatory and Legal Exposure 
    Regulators increasingly focus on how long data is kept. If we can’t demonstrate a valid reason for retention, we risk non-compliance with privacy laws and industry expectations. For example, under the EU GDPR, organisations can face fines of up to €20 million or 4% of annual global turnover, whichever is higher.  Similarly, under the UK Data Protection Act 2018, the Information Commissioner’s Office (ICO) can impose penalties up to £17.5 million or 4% of global turnover. Other jurisdictions, such as California’s CCPA/CPRA, also allow for significant statutory damages and enforcement actions for improper data retention. 

Real-life case:  

AEPD fined CaixaBank S.A. (Spain) €200,000 in 2025 - The Spanish regulator Agencia Española de Protección de Datos (AEPD) fined CaixaBank €200 000 in August 2025 for unlawfully keeping a customer’s data after their mortgage ended in 2008 the data was still being used (including for marketing) in 2022, 16 years later. The decision refers explicitly to Article 5(1)(e) GDPR (storage limitation) as the root of the violation. 

  1. Operational Inefficiency 
    Old data clutters systems, inflates storage costs, and complicates data management. It becomes harder to find what’s current and relevant.  

  2. Reputational Impact 
    Trust is core to your organisation's business. Retaining unnecessary personal data can undermine confidence in how responsibly you handle information.  

Practising Smart Data Retention 

So, what can we do in practice? Here are a few simple but powerful steps:  

  • Know your data. Understand what you collect, why you collect it, and how long it’s needed. 

  • Set clear retention schedules. Link them directly to the purpose and applicable legal obligations.

  • Automate deletion or anonymisation. Don’t rely on manual processes where possible.

  • Regularly review datasets. Conduct data hygiene exercises to identify what’s redundant. 

  • Document and communicate. Transparency and accountability go hand-in-hand. 

  • Contact your Data Privacy Team for support and to record your retention records in your organisations Retention Schedule.  

A Shared Responsibility 

Privacy and data management aren’t just compliance checkboxes; they are part of your company's values. Each of you plays a role in ensuring data is handled with care and integrity. 

By applying the storage limitation principle and letting go of data once it’s no longer needed, we not only meet regulatory expectations but we also reduce risk, save resources, and strengthen the trust that underpins everything we do. 

So next time you’re reviewing a dataset or planning a new project, ask yourself:  

“Do we still need this data and if not, why are we keeping it?’’ 

Let’s treat deletion and data minimisation as essential to our data practices, just like collection and analysis. 

0 comments

Sign upor login to leave a comment