Data Retention Under the GDPR: Periods, Policies & Templates

Data Retention Under the GDPR: Periods, Policies & Templates

Share this content

What is Data Retention Under the GDPR?

Data retention under the General Data Protection Regulation (GDPR) simply means that personal data collected or processed should only be kept for as long as necessary to fulfil the purpose for which it was initially gathered. Once the data is no longer needed for that specific purpose, it should be securely deleted or anonymised.

The GDPR has redefined how businesses manage personal data, emphasising not only what data can be collected but also how long it can be retained. A well-structured data retention policy is now more critical than ever for GDPR compliance.

Key GDPR Data Retention Principles:

  • Storage Limitation: Personal data must not be stored longer than necessary. Define clear retention periods based on the purpose of data collection.
  • Data Minimisation: Only collect the data absolutely essential for your business operations. Avoid excessive data collection to remain compliant.
  • Data Accuracy: Ensure personal data remains accurate, current, and reliable throughout its lifecycle.

For example, HR should not retain the CVs of candidates who do not qualify for a job role. The data retention rule has shades of the data minimisation principle which states that the period for storing personal data should be limited to a strict minimum.

Specific Exemptions

The GDPR and DPA 2018 specifically set out exemptions where data can be kept for longer than “necessary”. These include keeping data for public interest archiving, scientific or historical research, or statistical purposes. If you are keeping data for any of these purposes, this must be your only purpose for holding data and you cannot later use the data for another purpose particularly, for making decisions that may affect an individual whose data you hold. Further, you cannot hold data “just in case” it might be useful in the future.

Also, under the legislation individuals rights must be protected if you decide to keep the data. If any of the exemptions apply, pseudonymisation may be appropriate in some cases to protect the data. Although, it should be noted that pseudonymisation is not a defence to Art 5 of the GDPR or under the DPA 2018 if data you hold does not fall under one of the specified exemptions. However, akin to the principle under the 1998 Act, if you anonymise the data, you can keep it for as long as you like.

Do You Need to Define the Data Retention Period?

Most articles within the GDPR will require some form of documentation to show that your organisation is complying with the regulation, and data retention is no different. The documentation must provide details of the processing and activities that outline the data life cycle.

You can easily incorporate a data retention document into your data flow map. Keep in mind that because it is the GDPR, this data retention documentation will only need to show PII.

However, it is not enough to keep a document detailing the data retention period; you must also put it into practice. The regulation does not specify any standard retention period, as it is a function of two principles:

Storage Limitation: the principle that directly relates to this compliance measure

Purpose Limitation: this principle relates to the reason for processing, which we will get into later on.

Defining the retention period will require your to understand these two principles and how your organisation will put them into practice.

What should you do with personal data that you no longer need?

Data that you no longer need must be disposed of correctly. Generally, part of the data flow map contains a section showing what happens to data at the end of the information life cycle.

However, data deletion has some alternatives; you could fully anonymize the data or remove all identifiers. But this might cause more hassle than just deleting it. The benefits are that you can keep some form of anonymised data as a tracking tool.

The tracking would be separate from any services or products that require personal data. An example is to use anonymised data when tracking the total number of customers that visited your site over its entire operation.

In short, it is a requirement under the GDPR for the deletion of any personal data your organisation no longer uses; avoid the accumulation of data lakes.

What is a Data Retention Policy?

Data retention policies concern what data should be stored or archived, where that should happen, and for exactly how long. Once the retention time period for a particular data set expires, it can be deleted or moved as historical data to secondary or tertiary storage, depending on the requirements. This way, primary storage stays cleaner and the organisation remains compliant.

Of course it is important to retain historical data for use, but data retention policies really exist to fulfil regulatory requirements. Organisations subject to these kinds of requirements do not have the financial ability to retain all data forever, nor is that even a desirable goal.

Instead, organisations must demonstrate that they selectively retain and delete data according to the specific regulatory requirements of their industry and locale. For instance, personnel records and sensitive financial or medical records may all have different retention periods.

There are benefits of defining a data retention policy:

Avoiding data lakes and graveyards: a data lake is when the organisation or information system collects unnecessary personal data. The data is excessive because it usually has nothing to do with the business operation or services provided. Keeping a data lake is not allowed under the regulation. Defining a retention period can help eliminate excess data collection. Conversely, the data graveyard, as the name suggests, is a graveyard of inactive personal data. This data usually sits in a storage system without ever being touched. A data retention policy will help you define a time frame for when you should destroy static data.

Saving resources: using the example of data lakes and graveyards from above, this retention policy will ultimately save you time and money. The data retention policy will also improve the information system’s speeds; cleaning the “pipes” of the infrastructure is the best way to improve flow.

Conclusion

The requirements laid out by the regulation are clear that your organisation cannot keep personal data indefinitely. However, regulators have not designated a specific period on when you should delete data.

The data retention policy should help you by fulfilling the purpose limitation principle outlined in the regulation. Meaning your organisation should limit data collection to allow the data subject to receive the product or service for legitimate business operations.

This limitation will give you an idea of when you should delete data, i.e., when the data has served its intended purpose or if the data subject has pulled out of any contract and no longer requires the service.

So under GDPR, how long can data be stored? Like many of the other articles within the regulation, it depends.

Regardless you should have some data retention policy to document when you intended to delete data, as per compliance requirements.

Disclaimer

This article does not constitute legal advice in any form and only seeks to break down some of the main points set out by publicly available sources such as the ICO.

August 1, 2024

Frequently asked questions

Do I need to connect all my tools and third parties?

We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools.  There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.

What is the scope of my privacy policy?

Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!

Do I need to replace my current policy for the privacy portal?

We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.

Do I need help filling out my details?

Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.

Why can’t I just use a template and add it to my website myself?

A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.

What if you don’t have the tools and third parties that I have?

We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.

Which plan should I choose?

Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.

Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.

Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.

Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.

Feel free to get in touch to discuss our GDPR Compliance Software solution.

How easy is it to set up?

Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!

What size companies is Privasee aimed at?

Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.

I already have a privacy policy, do I need Privasee?

You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.

Still have questions?

We are here to help