Data storage: getting started

How long should I store data?
What data protection responsibilities do I still have, even if my business is closing down?
I'm closing down my small business. Do I have to let people know I’ll no longer be holding their data?
Do I need to pass the personal data I hold to another company if I go out of business or lose a contract?
A sole trader has died and we need to get in touch with their clients. Can we do this?

How long should I store data?

You should only keep personal data for as long as you need it. There aren’t any set time limits in data protection law because it depends on your situation.

Think about why you collected people’s personal information in the first place and the reason you’re processing it, known in data protection law as your lawful basis for processing. You must think about, and be able to justify, how long you need to keep it, and this will depend on your reasons for having it.

For example, Claire collected Bill’s name and address to give him a quote on having his house redecorated. Bill contacts her and explains that he’s changed his mind and doesn’t want the job doing anymore. Claire has no reason to keep Bill’s details any longer and deletes them.

Where possible, you’ll also need a policy which sets out how long you keep data for and why. When you no longer need personal data for the reason you collected it, make sure you destroy it securely or anonymise it.

However, if another law says you must keep certain records for a set period, then you should do so. In the example above, Claire may need to keep details of payments she has received from customers for when she is completing her tax returns.

Also see:

What data protection responsibilities do I still have, even if my business is closing down?

Even if your business is closing down, that business continues to be the controller of the personal data of your customers, clients, and other people you did business with, and data protection laws still apply.

The term ‘data controller’ or ‘controller’ refers to the organisation, business or company that decides why and how people’s personal information is handled. It can be a limited company, or a sole trader and all the different types of companies in between. It’s a legal entity rather than a person who works at the organisation, business, or company.

In practice, if a business is liquidated or goes into administration, it’s unlikely to be the person who used to own the business who carries on making practical decisions to do with the closure. More likely, the liquidator or administrator becomes the new most senior member of staff, and they will take over all key decisions.

Of course, not all businesses that close go into liquidation or administration. Sometimes a business owner may want to stop doing business. Generally speaking, if you still have a legal obligation to continue holding data for a length of time, your business will continue to be the controller of that personal data and data protection laws still apply.

This includes continuing your registration with the ICO unless you’re exempt.

For example, Brian is retiring as a GP and closing his practice. The British Medical Association requires GPs to retain patient records for set periods of time. As Brian must retain this data, and as they’re electronic records, Brian isn’t exempt from having to register with the ICO. He must therefore arrange for his registration to continue.

Even if your business is in good health, it’s good practice to draw up a plan for what should happen to any personal data you need to hold if you stop trading. Your plan could include:

the personal data you’ll need to keep;
why you’ll need to keep that data, such as for tax reasons or other legal obligations;
how and where the data will be stored securely, either by you or a third-party organisation;
how the data can be accessed if needed;
how long you need to keep the data;
your plans for ensuring the data stays accurate where necessary; and
how you’ll destroy the data securely when the time comes.

Also see:

Key data protection terms you need to know
I'm closing down my small business. Do I have to let people know I’ll no longer be holding their data?
Do I need to pass the personal data I hold to another company if I go out of business or lose a contract?

I'm closing down my small business. Do I have to let people know I’ll no longer be holding their data?

Yes, if you can. It’s good practice to let people know your business is closing down and you’re not holding their data any longer. This shows people that you value their information even when you no longer need it. It also allows them time to raise any concerns or requests with you.

For some businesses, this will be straightforward and won’t take long. For others, it’s easier said than done. If you’re in this position, it’s a balance between the effort it would take to let them know and, based on the type of information you hold about them, how important it is to contact them.

For example, you might not be able to contact your customers easily because you no longer have access to their information. If the information you hold is sensitive personal data, such as medical information, then there may be more of a necessity to try and contact them than if the information you hold is limited to name and address details. But this should be an exception, rather than a rule, and you’ll need to be confident you can justify your decision.

You can contact us if you’re unsure what to do in your situation.

Also see:

Key data protection terms you need to know

Do I need to pass the personal data I hold to another company if I go out of business or lose a contract?

Yes, there could be situations when you might need to do this, depending on your business.

For example, you might need to pass the personal data you hold to another company for them to assume controller responsibilities, if you lose a contract or your work is being given to a different service provider. If this happens, you should try and let people know as soon as possible, so they’re aware you’re no longer handling their data and that someone else is, instead.

The new company will also need to consider contacting people and letting them know about how their data will be used from that point.

Also see:

Key data protection terms you need to know
I'm closing down my small business. Do I have to let people know I’ll no longer be holding their data?
What data protection responsibilities do I still have, even if my business is closing down?

A sole trader has died and we need to get in touch with their clients. Can we do this?

Yes. If a controller dies while still in possession of personal information, someone needs to take responsibility for that information. For example, this could be an executor or someone appointed by probate, or through confirmation in Scotland. If that’s you, you’ll become the new controller. You’ll need a lawful basis for handling the personal data. It’s likely your lawful basis will either be legitimate interest or legal obligation, depending on your role in relation to the deceased person’s estate or business. For example, if you’re required to act according to probate or confirmation, you’d use legal obligation.

You must contact the affected people to let them know you’re taking control of their data and tell them what you’re going to do with it.

If you no longer need to retain or use the data, you must dispose of it securely as soon as possible. For example, if you’ve told people the original controller has died and the business is being closed, you must securely destroy any personal data no longer required.

Top tip: There are occasions when information needs to be retained for legal reasons or in accordance with industry guidelines. This could be the case even if a business is no longer trading. Check with the relevant industry regulator if you’re not sure.

Also see: