Storing personal data “just in case” breaches GDPR

View as Markdown
2 mins read • Legal Writer • GDPR • 12 August 2025
  1. Common pitfalls a GDPR lawyer will flag
  2. When to consult a GDPR lawyer

Many organisations retain personal data without a defined purpose – often because it “might be useful.” This contravenes core GDPR requirements: the controller must be able to demonstrate a specific and concrete purpose for processing. Otherwise, no lawful basis exists, which is itself a breach.

Under the GDPR, all processing must have a specific and lawful purpose. Holding data “for safety’s sake” does not meet that test. Nor is it sufficient that information might become relevant later – there must be an actual need at the time of storage, and data subjects must be informed, for example in a privacy notice.

Common pitfalls a GDPR lawyer will flag

  • Data are retained after a customer relationship has ended, without support in accounting rules or other applicable legislation for keeping those records.
  • Old email lists are kept without review or curation, even where recipients no longer have an active relationship with the organisation.
  • Personal data in business systems and CRM tools are not routinely cleansed, even though their use has ceased.

Storing data without purpose also increases exposure in the event of a personal data breach. The more information kept without control, the greater the potential impact of a leak or unauthorised access. Regularly review what personal data are stored and delete what is no longer needed. This is essential to meet the principle of data minimisation under Article 5 GDPR.

A clear data retention policy helps employees and system owners know when records must be deleted or anonymised. It creates predictability and reduces errors, particularly where several functions handle personal data. It also strengthens trust when you can show information is not kept longer than necessary. Where relevant, maintain a documented retention schedule GDPR teams can follow, and apply your data deletion policy consistently. If you operate under industry-specific rules, reflect those in your data retention policy GDPR documentation.

When to consult a GDPR lawyer

Engage a GDPR lawyer for pragmatic guidance on defining purposes, identifying lawful bases and setting proportionate retention periods. Targeted GDPR legal advice from an experienced GDPR compliance consultant helps you operationalise controls that work in practice. Our GDPR compliance services include drafting and rolling out a compliant data retention policy, maintaining a practical retention schedule GDPR stakeholders can follow and embedding a business-ready data deletion policy.

Morling Consulting helps organisations establish correct storage routines and robust deletion schedules. We provide concrete support that stands up to scrutiny.

Illustration of third-country risk under AMLR showing a simplified EU map, control icons, and a geographic trigger point linking the EU to third countries for enhanced customer due diligence (KYC).

10 March 2026

Third-country risks under AMLR: Articles 29–31 and their significance for customer due diligence
Read more
Illustration of an AMLR KYC process in four steps: ID verification, beneficial ownership check, business purpose assessment, and anomaly flag in registry screening.

3 March 2026

Customer due diligence under AMLR: identity, beneficial ownership and the purpose of the relationship
Read more
Illustration of a KYC block due to insufficient customer due diligence under AMLR, showing a customer profile, checklist, and stop symbol in a legal compliance setting.

24 February 2026

Inability to meet customer due diligence requirements under the AMLR
Read more