You probably already know that the General Data Protection Regulation (GDPR) sets quite strict rules around the collection, processing, and storage of personal data.
You are required to stay compliant throughout the entire processing which can get a little bit tricky when you try to define data retention. The main question that arises is; how long should you keep personal data?
The storage limitation principle only dictates you shouldn’t keep personal data for longer than needed, but how long is that?
GDPR does not answer this question for you. You are going to have to figure this one out for yourself with respect to the data minimization principle, accuracy principle, and national laws.
The short story is – you should keep data the shortest time possible. We will discuss how to define compliant data retention periods for your processing activities so you can make the most out of your data and still be GDPR compliant.
Are you obligated to define the data retention period?
Yes, the GDPR requires you to document your processing activities in order to prove your compliance and keep records on several things such as processing purposes, data sharing, and data retention.
You might be required to provide this information to your supervisory authority. The ICO states:
“To comply with documentation requirements, you need to establish and document standard retention periods for different categories of information you hold wherever possible. It is also advisable to have a system for ensuring that your organization keeps to these retention periods in practice, and for reviewing retention at appropriate intervals.
Your policy must also be flexible enough to allow for early deletion if appropriate. For example, if you are not actually using a record, you should reconsider whether you need to retain it.”
Storage limitation principle
The storage limitation principle basically says personal data should be kept for as long as the purpose is not fulfilled. Storage limitation only stipulates that personal data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
This leaves you as a creator of your own data retention policies and a lot of room for unintentional omissions.
Where to begin?
So you have collected all this data that you are obligated to process under the employment law, or your HR collected hundreds of CVs of potential candidates over time, or you have launched various marketing campaigns and collected personal data of potential customers.
No matter how you have collected personal data, when defining data retention periods it is always best to start with the purpose of processing.
Think about what is the purpose you want to achieve, and how long you will need collected data to fulfil that purpose.
If you are collecting personal data that you are obligated to process by law, then this makes your task of determining the data retention period that much easier. Simply follow your national law.
For example, tax law can obligate you to keep records for several years or to keep personal data of your employees for a certain amount of time.
However, if there are no laws defining data retention for particular data, you are obligated to define time limits for data removal and make a periodical review of stored data.
Using software for personal data management, can save you a lot of trouble and automatically give instructions to a different system when data deletion needs to be executed.
You can also define data retention and data removal operationalization on different data categories.
If you are processing personal data for archiving purposes in the public interest, statistical and historical research purposes, or statistical purposes, you can keep your data indefinitely.
But remember, you cannot process those data sets for any other purposes and you are obligated to implement appropriate technical and organizational measures.
How to define the data retention period?
When you have defined the purpose of processing, you need to establish a data retention period or for how long you should keep the data before deleting or anonymizing data.
When doing so, follow the basic logic. The storage period has to be proportionate to the purpose. It is best to explain this on a couple of examples:
We talked about video surveillance under the GDPR, and we briefly touched on the subject of the storage of CCTV footage and data retention periods. The EDPB guidelines give an example:
“If you are conducting video surveillance to prevent vandalism, a regular storage period of 24 hours is sufficient. Closed weekends or holidays might be reasons for a longer storage period. If the damage is detected you may also need to store the video footage for a longer period in order to take legal actions.”
The European Commission gives a great example of defining the data retention period for CVs collected in the hiring process in a company that runs a recruitment office.
Collected CVs belong to individuals seeking employment. If the data retention period is set to 20 years, the storage period is not proportionate to the purpose of finding employment for a person in the short or medium term.
Also if you do not update CVs from time to time, they will eventually become inaccurate or irrelevant and you will no longer have use of them, so keeping them too long serves no purpose.
Some of the questions you need to ask when defining a data retention period:
- Do you need to keep personal data to pursue any future legal claims
- Is there a regulatory requirement or legal requirement for you to keep personal information
- Do you need to keep a record of a relationship with a previous client
What are the benefits of defining a proper data retention period?
1. Avoid data graveyards
There is an increasing number of companies struggling with something called data graveyards. If you never heard of this term, it is exactly how it sounds, an enormous repository of unused, unaccounted, unnecessary data. This data eventually clogs and suffocates company servers and increases the overall costs.
2. Save time and money
Keeping and storing personal data that you do not need will undoubtedly cause additional costs related to storage and data security. It is pretty pointless to keep data you don’t need, pay for their storage, and then waste even more resources trying to secure data you don’t even need.
3. Stay compliant
The data protection officer is responsible for overseeing the compliance program and is a contact point between data subjects and supervisory authority, this means DPO has to respond to every data subject request.
This can become excruciatingly difficult if you are keeping an excessive amount of data or holding old data for longer than you need. Implementing data retention policies can reduce the burden of dealing with queries about retention and individual requests for erasure.
What happens with the data you no longer need?
If you no longer need data you can anonymize it or delete it. Data deletion is one of the emerging challenges to tackle since you will be in violation of the GDPR if you are holding unnecessary data or if you are holding the data for too long.
You can download our e-book Solution for GDPR compliant data removal, explaining how you can orchestrate data deletion in your company.