How long should we keep personal information for?
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
You must not keep personal information obtained from processing on your IoT product for longer than you need it. There are no set time limits in data protection law because it depends on your situation and your purposes for processing the information.
You must not hold personal information indefinitely, ‘just in case’ it might be useful in the future.
Example
A company manufactures and sells smart speakers. It needs to process user queries to the voice assistant embedded in the speaker. User queries are personal information. The company uses the queries to train its AI systems to improve its technology. It previously identified the right lawful basis to do this.
It doesn’t keep user queries indefinitely. Once users close their account, it deletes their relevant information. It also provides an option for users to delete their recordings periodically – weekly, monthly or yearly.
If your IoT product or service involves data sharing with other organisations, you should agree among you what happens when you no longer need to share the data.
You should review your retention periods regularly, and erase or anonymise personal information when you no longer need it for the purpose for which it was obtained and processed.
You may also have to follow other laws that say how long you need to keep certain information.
Further reading