Why Your GDPR Data Retention Schedule Needs a Post-Quantum Review
Data protection professionals typically encounter quantum risk as a security team problem, not a privacy compliance problem. That framing is wrong, and the gap it creates has real legal consequences. The obligation to protect personal data with measures "appropriate to the risk" under UK GDPR Article 32 includes the current threat model. That threat model now includes harvest-now-decrypt-later (HNDL) attacks, in which adversaries collect encrypted personal data today for decryption after a cryptographically relevant quantum computer (CRQC) becomes operational. The risk is not theoretical and it is not in the future: HNDL collection is an active, attributed activity by state-level adversaries. The compliance exposure it creates is present now, under the current "state of the art" standard, not at Q-Day.
This article is written for DPOs, privacy counsel, CISOs, and compliance leads who are responsible for data protection compliance and need to understand where post-quantum risk intersects with their existing obligations. The HNDL risk assessment methodology, including which data categories face the highest exposure, is covered in the which-data-most-at-risk article. Financial entities subject to DORA face parallel obligations under DORA Article 9(2); those are addressed in the DORA post-quantum ICT risk article.
Storage Limitation, the Security Principle, and "State of the Art"
Two data protection principles intersect in this analysis, and they must be kept separate before they can be considered together.
The storage limitation principle appears in identical terms in both UK GDPR Article 5(1)(e), as retained by the Data Protection Act 2018, and EU GDPR Article 5(1)(e). Personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed." Neither instrument sets mandatory maximum periods for most categories; the organisation determines what is necessary given its purposes. The compliance question under storage limitation is: are we retaining this data longer than our purposes justify?
The security principle sits alongside it. Both UK GDPR Article 5(1)(f) and EU GDPR Article 5(1)(f) require that personal data be processed in a manner ensuring "appropriate security," including protection against unauthorised access. Both Article 32 provisions, UK and EU, require that controllers and processors implement "appropriate technical and organisational measures" calibrated to the risk, taking into account the "state of the art."
"State of the art" is a legally significant phrase, not aspirational language. It is the standard against which the appropriateness of a security measure is assessed. NIST published final post-quantum cryptographic standards, FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA), in August 2024. ENISA has positioned quantum computing as an emerging threat in its annual Threat Landscape reports since 2022. The ICO has not published explicit post-quantum guidance as of May 2026, and ICO guidance is under active review following the Data (Use and Access) Act 2025, which came into force on 19 June 2025. The absence of specific ICO guidance does not mean the state of the art has not moved. ENISA's position and NIST's publication of final standards are part of that state of the art whether or not the ICO has issued specific commentary on them.
The storage limitation and security principles create the problem jointly. Long retention is sometimes legally required, not optional. The organisation retaining personal data for years under a mandatory retention obligation has no choice about the retention. It does have a choice about the encryption protecting that retained data. That is where the post-quantum obligation attaches.
How HNDL Creates a Compliance Risk Today, Not in 2033
The timing question in HNDL scenarios is more nuanced than it first appears. A personal data breach under UK GDPR Article 4(12) and EU GDPR Article 4(12) requires that personal data security is actually compromised. Encrypted data that has been collected by a hostile actor but not yet decrypted is not a breach in the current legal sense: no one has yet accessed the personal data without authorisation, because the encryption holds. The formal breach event occurs at decryption, which requires the CRQC.
The compliance risk under Article 32 operates differently, however. The question there is not whether a breach has occurred, but whether the organisation has implemented security "appropriate to the risk" given the "state of the art." An organisation that encrypts long-lived personal data using RSA or ECDH key exchange, knowing that HNDL collection is active and that post-quantum alternatives are standardised and freely available, faces a building argument that its security measures are not appropriate to the risk. The argument does not require a breach to have occurred. It requires only that the threat is known, the mitigation exists, and the organisation has not deployed it. No DPA or court has yet tested this argument explicitly, but the legal chain is sound and the direction of travel in regulatory guidance is consistent.
NCSC guidance from 2025 recognises that adversaries are already collecting encrypted material from high-value targets and that organisations should treat sensitive encrypted data as potentially already harvested. [ASSUMED — verify exact wording and publication date against current NCSC website before citing in legal submissions.] That framing, from the UK's national technical authority, is relevant to any ICO assessment of what constitutes appropriate security for UK organisations.
Which Retained Data Is in the Risk Window
Not all retained personal data faces the same HNDL exposure. The risk is highest where two conditions coincide: the data is protected by RSA or ECDH key exchange (not by AES-256 symmetric encryption, which is quantum-resistant), and the retention period extends past the Q-Day central estimate of 2033 to 2035. Where mandatory retention obligations create that intersection, the compliance exposure is at its most concrete.
UK financial services records. UK FCA COBS 9A.4.1R requires suitability records to be retained for five years (ten years for pension products). UK MiFID II Article 25(2), retained in UK law post-Brexit, requires transaction records for five years. Records generated now and retained to 2030 are in the HNDL window under a conservative Q-Day estimate. Records generated under current RSA or ECDH encryption that existed before hybrid ML-KEM deployment are in it under any estimate.
NHS and health records. The UK NHS Records Management Code requires retention of adult patient records for eight years after last treatment. Genetic data may have indefinite retention implications. Health records are also special category personal data under UK GDPR Article 9 and EU GDPR Article 9, which means the security obligation under Article 32 is heightened: "appropriate" security for special category data should set a higher bar than for ordinary personal data. A health record generated today, encrypted under RSA or ECDH, and retained for eight years is within the HNDL risk window under the 2033 to 2035 central estimate.
Legal privileged communications. Solicitors in England and Wales are required under UK SRA guidelines to retain client files for at least six years after matter closure, and fifteen years for probate and similar long-duration matters. Encrypted privileged communications retained under these obligations face the same HNDL exposure as financial or health records.
Special category data under Article 9. Both UK GDPR Article 9 and EU GDPR Article 9 impose heightened requirements on health data, genetic data, biometric data, data about religious or political beliefs, and data about criminal convictions. Any special category data retained under a mandatory obligation and protected by RSA or ECDH key exchange should be treated as the highest migration priority in the organisation's cryptographic asset register. AES-256 symmetric encryption of the data at rest is quantum-resistant; the key exchange used to establish or distribute that encryption key may not be.
UK GDPR and EU GDPR: Where the Obligations Align and Where They Diverge
UK and EU data protection frameworks are separate legal instruments and must be treated as such.
UK GDPR is the retained EU Regulation text as amended by the Data Protection Act 2018, enforced by the Information Commissioner's Office. EU GDPR is Regulation (EU) 2016/679, enforced by the EDPB and member state DPAs. Where obligations are substantively identical, as they are on the storage limitation and security principles, both can be referenced together. Where they diverge, they must be addressed separately.
The Data (Use and Access) Act 2025, which came into force on 19 June 2025, amends UK GDPR in several areas including automated decision-making and data-sharing arrangements. ICO guidance is under active review as a result. Practitioners working under UK GDPR should not assume that pre-2025 ICO guidance reflects current positions; the review process may produce changes that affect how specific provisions are interpreted. The storage limitation and security principles at Articles 5(1)(e), 5(1)(f), and 32 are not areas of current stated UK-EU divergence, but this position should be verified at time of use rather than assumed to be permanent.
For EU-based organisations, Commission Implementing Regulation (EU) 2024/2690, the Article 21 implementing regulation under NIS2, came into force in October 2024. It requires essential entities to assess whether their cryptographic controls "remain effective against known threats." An EU controller that is also a NIS2 essential entity faces parallel obligations under EU GDPR Article 32 and NIS2's implementing regulation. The quantum threat is a known threat for the purposes of that assessment: ENISA's annual Threat Landscape has named it since 2022. The implementing regulation does not create a new requirement so much as it crystallises an existing one explicitly.
What a Post-Quantum Retention Review Looks Like in Practice
A post-quantum review of an organisation's data retention schedule follows four steps.
Map retention obligations to data categories. Identify every category of personal data held under a legal, regulatory, or contractual retention obligation and document the minimum and maximum retention period for each. If this mapping does not already exist, it must be built before the quantum review can proceed. A retention schedule is a prerequisite for the quantum analysis, not an output of it.
Identify the encryption protecting each retained category. Cross-reference the retention schedule with the cryptographic asset register (CBOM). For each data category with a mandatory retention period extending to 2030 or beyond, identify the key encapsulation algorithm currently protecting it. RSA and ECDH key exchange are the migration targets. AES-256 symmetric encryption of stored data is quantum-resistant at the data layer; the key management infrastructure that distributes or protects the AES key may not be.
Apply the HNDL risk model. For each data category where RSA or ECDH is in use and the retention period extends past the Q-Day central estimate, assess whether the data was generated before or after hybrid ML-KEM deployment in the relevant system. Data generated before hybrid deployment was encrypted under a key exchange that a CRQC could retroactively break. That data is in the HNDL window regardless of whether HNDL collection has actually occurred, because the organisation cannot know whether it has.
Triage and prioritise. Retained data with the longest confidentiality requirement, the highest category under Article 9, and the earliest generation date (longest period of potential HNDL exposure) is highest priority for re-encryption. Data with a short remaining retention window and lower sensitivity may be lower priority, or eligible for deletion before migration is required. Deletion is the simplest risk reduction available: UK GDPR Article 5(1)(c) and EU GDPR Article 5(1)(c) both require data minimisation, and over-retained data beyond its necessary period should be deleted, not migrated. The intersection of a quantum review and a retention compliance review is where organisations most frequently discover data they should have deleted years ago.
For retained data that cannot be deleted because of a mandatory retention obligation or active litigation hold, re-encryption under a hybrid or PQC-only scheme is the available mitigation. Re-encrypting stored data at scale requires HSM infrastructure capable of ML-KEM key operations (Thales Luna 7.9.0 and above, Entrust nShield 13.8.0 and above, or AWS KMS at ML-KEM general availability) and operational planning that manages key rotation without data loss. For large or complex data stores, this is a project in its own right.
Accountability: Documenting the Assessment You Have Done
UK GDPR Article 5(2) and EU GDPR Article 5(2) both set out the accountability principle: organisations must be able to demonstrate compliance with the data protection principles. In a post-quantum context, demonstrating compliance means documenting that the organisation has assessed the quantum risk to its retained personal data, identified its highest-risk categories, and has a programme in place to migrate to quantum-resistant encryption for data in the HNDL window.
The absence of that documentation is itself a compliance gap. Not a gap that would generate a breach notification, but a gap that becomes visible under audit, regulatory enquiry, or supplier due diligence. A DPO who is asked by an auditor "what have you done about the quantum risk to your retained personal data?" and who cannot produce a documented assessment is in a different position from one who can produce a reviewed retention schedule, a HNDL risk analysis, and a migration priority timetable. The difference is not legal exposure in the narrow sense; it is the demonstration of adequate governance that Article 5(2) requires.
The NCSC's Phase 1 target, covering the period to 2028, asks UK organisations to have completed discovery and planning for their high-value data stores. A retention schedule review feeding into a cryptographic asset register is a natural and auditable way to demonstrate that Phase 1 work is under way. Starting that review now, and documenting the process, is the appropriate response to an Article 32 obligation that has already arrived.
Quantum technologies are evolving quickly and new developments emerge regularly. This page was last updated on 18/05/2026. For the most current information, we recommend contacting us directly.