This is covered by the “storage limitation” principle of GDPR. Recordings are considered to be personal data in exactly the same way as written data records.
The storage limitation principle is broadly similar to the fifth principle (retention) of the 1998 Act. The key point remains that you must not keep data for longer than you need it.
Article 5(1)(e) says:
“1. Personal data shall be:
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’)”
So, even if you collect and use personal data fairly and lawfully, including recordings of calls to the practice, you cannot keep it for longer than you actually need it.
There are close links here with the data minimisation and accuracy principles.
The GDPR does not set specific time limits for different types of data. This is up to you, and will depend on how long you need the data for your specified purposes.
Although there is no underlying change, the GDPR principle does highlight that you can keep anonymised data for as long as you want. In other words, you can either delete or anonymise the personal data once you no longer need it.
Instead of an exemption for research purposes, the GDPR principle specifically says that you can keep personal data for longer if you are only keeping it for public interest archiving, scientific or historical research, or statistical purposes (and you have appropriate safeguards).
New documentation provisions mean that you must now have a policy setting standard retention periods where possible.
There are also clear links to the new right to erasure (right to be forgotten). In practice, this means you must now review whether you still need to keep personal data if an individual asks you to delete it.
