Data retention is a critical part of compliance with the EU’s General Data Protection Regulation (GDPR), yet many organisations either find it challenging or simply ignore this principle altogether. Often, companies struggle with determining the appropriate retention periods and err on the side of caution by holding onto information “just in case.”
This seemingly safe approach actually increases risks and costs. Understanding the correct GDPR data retention period and knowing how to dispose of data properly are crucial for protecting privacy and avoiding hefty fines. Let’s demystify GDPR data retention and break it down into actionable steps.
GDPR data retention requirements mandate that organisations identify and justify how long they keep personal data. Once the data is no longer needed, it must be securely deleted or anonymised. Establishing clear retention policies, regularly reviewing data, and responsibly disposing of unnecessary information are essential for reducing risks and pro-active compliance.
What is data retention under the GDPR?
Data retention under the GDPR is about how long you keep personal data. Unlike some regulations that specify exact timeframes, the GDPR requires organisations to decide retention periods based on the purpose for which the data was collected. (For example, data retention of 7 years for financial documents, in case of audit). Once the data is no longer needed for its original purpose, it must be securely deleted or anonymised.
Imagine you’re managing the HR department of a company. You collect job applications and CVs, and your traditional practice is to keep these CVs for 10 years. However, this lengthy retention period might not align with your goal of filling short- to medium-term positions. Without regular updates, candidates might miss out on opportunities, as their skills and qualifications evolve over time, making older CVs less relevant.
Therefore, retention periods must always be aligned with the specific purpose for which the data was collected, ensuring not only compliance, but also relevance.
Do you need a data retention policy?
A formal GDPR data retention policy is not legally required, but it can be invaluable for larger and mid-sized companies. Without such a policy, managing data effectively can be complex. A well-defined policy offers clear rules on who needs to identify records, how to determine retention periods, and all other elements needed for the Information Asset Register.
An Information Asset Register (IAR) is required by the GDPR, and it should be linked to the Register of Processing Activities (RoPA) to ensure that your data management practices are both effective and compliant with the GDPR. This linkage helps facilitate proper data identification and timely deletion.
Here are some key elements of an effective IAR:
- Record types: Catalogue all types of records your organisation holds, and define their purposes.
- Purpose: Clearly state why each type of record is collected and maintained.
- Retention periods: Set appropriate retention periods for each type of record, ensuring they align with GDPR requirements and your organisation’s needs.
By following these guidelines, your IAR will not only ensure GDPR compliance, but also support efficient data management, timely record deletion, and risk reduction, thereby safeguarding privacy through consistent practices.
See also: List of mandatory documents required by EU GDPR.
Example of an Information Asset Register
The table below illustrates how different types of records can be categorised and managed under an Information Asset Register. Each record type is associated with a specific purpose, retention period, and review schedule, ensuring that data is kept only as long as necessary.
Record Type | Purpose | Retention Period | Retention Schedule |
Employee Records | Employment history | 5 years after termination | Review annually |
Invoices | Financial record-keeping | 7 years | Review annually |
Customer Emails | Customer communication | 2 years | Review every 6 months |
Setting retention periods
Under the GDPR, the core principle for setting data retention periods is that personal data should only be retained for as long as it is necessary to fulfil the purpose for which it was collected. If the data is no longer needed for that purpose, it should either be deleted or anonymised to mitigate privacy risks.
There are exceptions where personal data may be retained longer for archiving purposes in the public interest, or for scientific or historical research, provided appropriate GDPR data retention measures are in place. These exceptions are detailed in Recital 159 and Article 89 of the GDPR, which allow for longer retention periods under certain conditions.
When setting retention periods, consider other legal and regulatory requirements, especially for records related to tax, audit, or health and safety.
For instance, certain types of data may need to be retained longer due to their importance for various purposes. Historical records, such as census data or civil registration documents, might be preserved by government archives to document societal changes and historical events for future generations. Similarly, medical data from clinical trials or long-term health studies may be kept to support ongoing research and improve public health. Financial records, including invoices and tax returns, are often retained for extended periods to comply with tax regulations and facilitate audits, ensuring transparency and accountability in financial reporting. In these cases, the extended retention of data is justified by its value for historical, scientific, or regulatory purposes, while still adhering to GDPR requirements.
Steps to ensure GDPR data retention compliance
Now that you have the basics of the GDPR and data retention, it’s time to focus on the practical steps you need to take to ensure compliance. By following a clear process, you can effectively manage personal data, reduce risks, and maintain trust with your stakeholders.
Here are the key steps to ensure compliance with GDPR retention requirements:
- Identify and categorise records. Begin by listing all the types of records your organisation holds, along with their specific purposes.
- Determine retention periods. For each type of record, decide how long the data should be kept based on its purpose.
- Document retention policy. Create a formal retention schedule or policy, documenting each record type, its purpose, the retention period, and a review schedule. This can be managed in an Information Asset Register (IAR) or similar documentation.
- Regularly review and update records. Establish a schedule for reviewing your data retention policies, depending on the type of data. Ensure that records are updated or deleted as necessary.
- Implement secure data disposal. When data is no longer needed, make sure it is securely deleted or anonymised. This process should include removing data from production systems, backups, and physical records.
- Monitor compliance and make adjustments. Continuously monitor your data retention practices to ensure ongoing compliance. Adjust your policies and procedures as needed to reflect any changes in regulations or your business operations.
By following these steps, you can not only achieve GDPR compliance, but also foster a culture of responsible data management within your organisation.
See also: 9 steps for implementing GDPR.
What should you do with unneeded personal data?
As mentioned earlier, when data is no longer needed, you have two options: delete it or anonymise it. Deleting data can mean different things depending on whether it’s electronic or physical, and complete erasure may not always be feasible.
For example, electronic data might be deleted from a database, but it also needs to be removed from backup systems to ensure it is fully eradicated. Physical data, such as paper records, must be shredded to prevent unauthorised access. In cases where deletion is not feasible, anonymising the data — so that it can no longer identify individuals — is an effective alternative.
Think of it like cleaning your house and getting rid of old clothes you no longer wear. Initially, it might seem easier to keep them “just in case,” but once you clear them out, you feel more organised and efficient. Similarly, proper data management through regular reviews and responsible disposal helps your organisation stay compliant and protect individual rights in case of a breach.
Why is data retention so important?
Navigating GDPR compliance regarding data retention requires a thorough understanding of purposeful data storage, regular reviews, and responsible disposal. Establishing clear retention policies that align with your organisation’s activities, and consistently assessing retained data, are crucial steps. This approach not only enhances compliance, but also safeguards individual rights.
Effective data management extends beyond mere regulatory compliance — it’s about building trust. By responsibly managing and protecting personal data, you mitigate the risk of breaches and costly fines while showcasing your commitment to privacy. This proactive stance not only ensures adherence to the GDPR, but also cultivates confidence among your customers and partners.
Think of data retention as the backbone of trust in your business. Just as you wouldn’t leave outdated or irrelevant information lying around, maintaining a rigorous data retention policy shows that you value and respect the privacy of those you interact with. By regularly reviewing and properly disposing of unnecessary data, you keep your operations lean and agile, and foster a reputation for reliability and integrity.
Check out this EU GDPR Documentation Toolkit to set your data retention and protection policies and become compliant with the GDPR quickly and efficiently.