The retention period is a limited time period in which an organization keeps specific data about the data subject.
Data retention starts when one of the following scenarios happen:
1. The initial purpose for data collection and processing has expired. Usually, a product or services contract with an individual has expired, an insurance policy has expired, or an individual stopped using a product or a service.
2. The direct action of the Data Subject, usually an opt-out, unsubscribe or request for the right to be forgotten.
Additionally, there can be a specified delay for data retention start, e.g., the beginning of the next fiscal year.
The data removal is triggered by the expiry of the data retention period. When the data retention period expires, any further processing of the data by your Organization becomes illegal.
In order to minimize the risk of non-compliance, once the data retention period expires, your Organization must remove personal data from its systems.
Data removal is executed either by deleting the data or, more often, by anonymizing identifiable data.