Rule 8: When the Specified Purpose is Deemed No Longer Served
Rule 8 addresses a fundamental principle of data protection: personal data should not be kept forever. Once the purpose for which the data was collected has been fulfilled, the organization is required to stop holding it.
According to this rule:
- A Data Fiduciary must determine whether the purpose for which the data was collected has been served or is no longer relevant.
- Once the purpose is no longer valid, the data must either be deleted or anonymized so that it can no longer identify an individual.
The only exception is when data must be retained to comply with a legal obligation, such as tax or regulatory record-keeping.
Example Scenarios
A retail e-commerce company like ABC Mart collects delivery addresses for shipping goods. After the order has been fulfilled and the return period is over, the address should no longer be stored indefinitely unless the customer chooses to keep it saved for future orders.
A stock broking firm needs to retain financial transaction records for a statutory period of seven years under securities regulations. Even if the client closes their account, the broker is legally allowed to keep the data for that period. Beyond it, the records must be deleted or anonymized.
A pharmaceutical company running a clinical trial may collect health data from participants. Once the trial and mandatory reporting are complete, the company must anonymize the dataset so that no individual participant can be identified.
The aim of Rule 8 is to prevent unnecessary hoarding of personal data. Many breaches in the past have occurred because organizations kept information long after it was useful. By enforcing data minimization and timely deletion, this rule reduces risks for individuals while encouraging organizations to practice responsible data governance.