The General Data Protection Regulation (GDPR) establishes clear guidelines to prevent unnecessary data storage and ensure that personal information is retained only for as long as it serves a legitimate purpose. Storage limitation requires that companies justify and set our data retention periods while considering all legal obligations. Navigating legal requirements and transforming them into practical, actionable measures can be complex. A structured approach makes implementation more seamless.
Understanding GDPR Data Retention Requirements
The GDPR does not specify a specific period of time for which personal data is allowed to be stored. Rather the GDPR, in Article 5: Principles relating the processing of personal data, states that
Personal data shall be: …kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
This principle outlines that personal data should not be stored longer than necessary. There are some exceptions to this as listed in the Article 5(1)(e). These exceptions include anonymisation and taking into account other legal storage requirements. Since the GDPR actively requires companies to follow the principles of storage limitation, it is in best practice to delete the information when the retention period has run out.
However, personal data could also be anonymized instead, as properly anonymized data can no longer be linked to a person. Otherwise, one could consider whether other applicable legislations apply. For instance, German finance law requires that companies maintain records of certain documents. This requirement is mostly related to maintaining tax records for 6 to 10 years. So even if the records contain personal data and are no longer necessary for the processing activity they were initially collected for, they are maintained with respect to other applicable legal requirements.
Determining Retention Periods
The GDPR defines two main roles in the relationship to data: data controller and data processor. The data controller decides the purposes and the means of processing personal data. As a result, the data controller is also responsible for determining the time frame in relation to data retention. The Dutch Data Authority released guidance on applicable questions to ask when a company is determining the retention period of personal data.
- Do you have statutory retention periods that must be followed, such as those required by tax laws or the Public Records Act? Are there any ongoing legal proceedings? If so, you are also obligated to retain the personal data.
- How long is the data necessary for its intended purpose? Consider your company policy when determining this. For instance, you may need certain data to track outstanding invoices.
- The fundamental principle of the law is to keep personal data for the shortest possible duration. Can the retention period be reduced?
- Are you a member of a sector organization? If so, they may provide guidance on standard retention periods in your industry, which might be outlined in a code of conduct.
Following the guidance above when considering the storage of personal data can help in determining the best retention period for your business needs. The key requirement to understand when choosing a retention period is that the chosen duration must be able to be justified and the decision must be documented.
Best Actionable Practices for Retention Periods
In examining, various DPA guidances here is a list of actionable best practices for data retention:
- Conducting an audit to regularly assess what personal data your company collects, stores, and processes.
- Minimizing data collection by only gathering personal data that is strictly necessary for your specified purposes. Be sure to avoid excessive or irrelevant information.
- Implementing a data retention policy and reviewing retention periods regularly. This establishes clear retention schedules for different data types, ensuring compliance with industry standards and legal obligations.
- Justifying retention periods by basing them on business needs, legal obligations, and potential future claims, avoiding indefinite data retention without a valid reason. Documenting retention deviations by recording justifications whenever data is retained for longer or shorter periods than specified.
- Regularly reviewing data processing activities to assess current processes and update retention schedules as new data processing activities emerge.
- Following legal and regulatory requirements by retaining data in compliance with industry regulations, tax laws, and professional guidelines. Delete data as soon as it is no longer necessary.
- Responding to data subject requests by ensuring that unnecessary data is promptly deleted or anonymized when individuals request erasure.
- Training staff on retention policies to ensure they understand retention schedules, deletion procedures, and the risks of premature or improper data deletion.
- Archiving data properly by storing older data in clearly labeled, separate electronic folders or indexing paper records for easy identification and disposal.
- Ensuring secure disposal of data once retention periods expire, using confidential waste providers or cross-cut shredders for paper records. These practices ensure complete deletion or anonymization for electronic data.
How do you ensure compliance through effective data retention?
To effectively manage data retention under the GDPR requires a careful balance between compliance, business needs, and legal obligations. It is important to implement structured retention policies. Businesses can ensure they are not holding onto personal data longer than necessary while also meeting statutory requirements. Regular audits, clear documentation, and staff training are essential to maintaining compliance and mitigating risks. Adhering to the principle of storage limitation not only protects individuals’ data rights but also strengthens organizational data governance and security.