General Data Protection Regulation (GDPR) requires you to stay compliant not only when collecting and processing personal data, but also when it comes to archiving or deleting data and compliance with Article 5(1)(e) and the storage limitation principle.
However, the storage limitation principle only dictates you shouldn’t keep personal data for longer than needed, but how long is that?
GDPR does not answer this question for you. You are going to have to figure this one out for yourself with respect to the data minimization principle, accuracy principle, and national laws.
The main question that remains is; For how long should you keep personal data?
The short story is – you should keep data for the shortest time possible but in your everyday business you will still have to define it somehow.
We will discuss how to define compliant data retention periods for your processing activities so you can make the most out of your data and still be GDPR compliant.
Are you obligated to define the data retention period?
Yes, the GDPR requires you to document your processing activities in order to prove your compliance and keep records on several things such as processing purposes, data sharing, and data retention.
You might be required to provide this information to your supervisory authority. The ICO states:
“To comply with documentation requirements, you need to establish and document standard retention periods for different categories of information you hold wherever possible. It is also advisable to have a system for ensuring that your organization keeps to these retention periods in practice, and for reviewing retention at appropriate intervals.
Your policy must also be flexible enough to allow for early deletion if appropriate. For example, if you are not actually using a record, you should reconsider whether you need to retain it.”
Keep in mind that other laws can also require you to keep personal data for certain amount of time. You will have to identify all laws that define retention obligations and statutory limitations for personal data.
Storage limitation principle
The storage limitation principle basically says personal data should be kept for as long as the purpose of the processing is not fulfilled.
Storage limitation only stipulates that personal data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
This leaves you as a creator of your own data retention policies for some datasets and a lot of room for unintentional omissions.
Where to begin?
So you have collected all this data that you are obligated to process under the employment law, or your HR collected hundreds of CVs of potential candidates over time, or you have launched various marketing campaigns and collected personal data of potential customers.
No matter how you have collected personal data, when defining data retention periods it is always best to start with the purpose of processing.
Think about what is the purpose you want to achieve, and how long you will need collected data to fulfill that purpose.
If you are collecting personal data that you are obligated to process by law, then this makes your task of determining the data retention period that much easier. Simply follow your national law.
For example, tax law can obligate you to keep records for several years or to keep personal data of your employees for a certain amount of time.
However, if there are no laws defining data retention for particular data, you are obligated to define time limits for data removal and make a periodical review of stored data.
Using software for personal data management, can save you a lot of trouble and automatically give instructions to a different system when data deletion needs to be executed.
You can also define data retention and data removal operationalization on different data categories.
If you are processing personal data for archiving purposes in the public interest, statistical and historical research purposes, or statistical purposes, you can keep your data indefinitely.
But remember, you cannot process those data sets for any other purposes and you are obligated to implement appropriate technical and organizational measures.
How to define the data retention period and create a data retention policy?
A data retention policy is an established protocol for retaining information for operational or regulatory compliance needs.
As an organization, you can outsource the creation of the policy or you can try to embark on the ambitious task of creating your own retention policy.
If that is the case you can follow these recommendations:
- Define departments and employees who will be responsible for creating a data retention policy – you will probably have to include the legal department, IT, and any other department you see crucial to the process
- Identify data retention periods you are obligated to implement by law or regulation – there are numerous ways you can research this, one of the easiest ways is using filerskeepers. filerskeepers works as a Data Privacy Manager add-on that allows you to scan and access all laws that define records retention obligations and statutory limitations for different countries with just a few easy clicks.
- Define business processes in your organization that process personal data– Identify data categories and determine for how long you should keep data
- Identify how often should data retention policies be revised
- Perform Internal audits – Audits should be conducted periodically to ensure compliance
- Determine how to implement retention and deletion schedules – Data Privacy Manager automatically gives instructions to a different system when data deletion needs to be executed and enables you to define data retention and data removal operationalization on different data categories.
Data retention in practice
When you have defined the purpose of processing, you need to establish a data retention period or for how long you should keep the data before deleting or anonymizing data.
When doing so, follow the basic logic. The storage period has to be proportionate to the purpose. It is best to explain this on a couple of examples:
We talked about video surveillance under the GDPR, and we briefly touched on the subject of the storage of CCTV footage and data retention periods. The EDPB guidelines give an example:
“If you are conducting video surveillance to prevent vandalism, a regular storage period of 24 hours is sufficient. Closed weekends or holidays might be reasons for a longer storage period. If the damage is detected you may also need to store the video footage for a longer period in order to take legal actions.”
The European Commission gives a great example of defining the data retention period for CVs collected in the hiring process in a company that runs a recruitment office.
Collected CVs belong to individuals seeking employment. If the data retention period is set to 20 years, the storage period is not proportionate to the purpose of finding employment for a person in the short or medium term.
Also if you do not update CVs from time to time, they will eventually become inaccurate or irrelevant and you will no longer have use for them, so keeping them too long serves no purpose.
Some of the questions you need to ask when defining a data retention period:
- Do you need to keep personal data to pursue any future legal claims?
- Is there a regulatory requirement or legal requirement for you to keep personal information?
- Do you need to keep a record of a relationship with a previous client?
What are the benefits of defining a proper data retention period?
1. Avoid data graveyards
There is an increasing number of companies struggling with something called data graveyards. If you never heard of this term, it is exactly how it sounds, an enormous repository of unused, unaccounted, unnecessary data. This data eventually clogs and suffocates company servers and increases the overall costs.
2. Save time and money
Keeping and storing personal data that you do not need will undoubtedly cause additional costs related to storage and data security. It is pretty pointless to keep data you don’t need, pay for their storage, and then waste even more resources trying to secure data you don’t even need.
3. Stay compliant
The data protection officer is responsible for overseeing the compliance program and is a contact point between data subjects and supervisory authority, this means DPO has to respond to every data subject request.
This can become excruciatingly difficult if you are keeping an excessive amount of data or holding old data for longer than you need. Implementing data retention policies can reduce the burden of dealing with queries about retention and individual requests for erasure.
What happens with the data you no longer need?
If you no longer need data you can anonymize it or delete it. Data deletion is one of the emerging challenges to tackle since you will be in violation of the GDPR if you are holding unnecessary data or if you are holding the data for too long.
You can download our e-book Solution for GDPR compliant data removal, explaining how you can orchestrate data deletion in your company.