GDPR Data Retention: Periods, Policies & Guidance (+ Templates)
January 23, 2023
Table of Contents
What is the Data retention rule?
The Storage limitation principle mentioned under article 5(1) (e) of the General Data Protection Regulations regulates the data retention rule. It simply states, that any personal data that is collected or processed to be kept only for as long as data are required to achieve the purpose for which the information was collected.
For example, HR should not retain the CVs of candidates who do not qualify for a job role. The data retention rule has shades of the Data minimisation principle which states that the period for storing personal data should be limited to a strict minimum.
The GDPR and DPA 2018 specifically set out exemptions where data can be kept for longer than “necessary”. These include keeping data for public interest archiving, scientific or historical research, or statistical purposes. If you are keeping data for any of these purposes, this must be your only purpose for holding data and you cannot later use the data for another purpose particularly, for making decisions that may affect an individual whose data you hold. Further, you cannot hold data “just in case” it might be useful in the future.
Also, under the legislation individuals rights must be protected if you decide to keep the data. If any of the exemptions apply, pseudonymisation may be appropriate in some cases to protect the data. Although, it should be noted that pseudonymisation is not a defence to Art 5 of the GDPR or under the DPA 2018 if data you hold does not fall under one of the specified exemptions. However, akin to the principle under the 1998 Act, if you anonymise the data, you can keep it for as long as you like.
Do You Need to define the data retention period?
Most articles within the GDPR will require some form of documentation to show that your organization is complying with the regulation, and data retention is no different. The documentation must provide details of the processing and activities that outline the data life cycle.
You can easily incorporate a data retention document into your data flow map. Keep in mind that because it is the GDPR, this data retention documentation will only need to show PII.
However, it is not enough to keep a document detailing the data retention period; you must also put it into practice. The regulation does not specify any standard retention period, as it is a function of two principles:
Storage Limitation: the principle that directly relates to this compliance measure
Purpose Limitation: this principle relates to the reason for processing, which we will get into later on.
Defining the retention period will require your to understand these two principles and how your organization will put them into practice.
What should you do with personal data that you no longer need?
Data that you no longer need must be disposed of correctly. Generally, part of the data flow map contains a section showing what happens to data at the end of the information life cycle.
However, data deletion has some alternatives; you could fully anonymize the data or remove all identifiers. But this might cause more hassle than just deleting it. The benefits are that you can keep some form of anonymized data as a tracking tool.
The tracking would be separate from any services or products that require personal data. An example is to use anonymized data when tracking the total number of customers that visited your site over its entire operation.
In short, it is a requirement under the GDPR for the deletion of any personal data your organization no longer uses; avoid the accumulation of data lakes.
What is Data Retention Policy ?
Data retention policies concern what data should be stored or archived, where that should happen, and for exactly how long. Once the retention time period for a particular data set expires, it can be deleted or moved as historical data to secondary or tertiary storage, depending on the requirements. This way, primary storage stays cleaner and the organization remains compliant.
Of course it is important to retain historical data for use, but data retention policies really exist to fulfill regulatory requirements. Organizations subject to these kinds of requirements do not have the financial ability to retain all data forever, nor is that even a desirable goal.
Instead, organizations must demonstrate that they selectively retain and delete data according to the specific regulatory requirements of their industry and locale. For instance, personnel records and sensitive financial or medical records may all have different retention periods.
There are benefits of defining a data retention policy:
Avoiding data lakes and graveyards: a data lake is when the organization or information system collects unnecessary personal data. The data is excessive because it usually has nothing to do with the business operation or services provided. Keeping a data lake is not allowed under the regulation. Defining a retention period can help eliminate excess data collection. Conversely, the data graveyard, as the name suggests, is a graveyard of inactive personal data. This data usually sits in a storage system without ever being touched. A data retention policy will help you define a time frame for when you should destroy static data.
Saving resources: using the example of data lakes and graveyards from above, this retention policy will ultimately save you time and money. The data retention policy will also improve the information system’s speeds; cleaning the “pipes” of the infrastructure is the best way to improve flow.
The requirements laid out by the regulation are clear that your organization cannot keep personal data indefinitely. However, regulators have not designated a specific period on when you should delete data.
The data retention policy should help you by fulfilling the purpose limitation principle outlined in the regulation. Meaning your organization should limit data collection to allow the data subject to receive the product or service for legitimate business operations.
This limitation will give you an idea of when you should delete data, i.e., when the data has served its intended purpose or if the data subject has pulled out of any contract and no longer requires the service.
So under GDPR, how long can data be stored? Like many of the other articles within the regulation, it depends.
Regardless you should have some data retention policy to document when you intended to delete data, as per compliance requirements.
This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.