Alex Franch
What is a data retention policy?
A data retention policy is an organisation’s procedure for retaining information to fulfil their compliance requirements.
A data retention policy concerns what data should be stored or archived, where that should happen, and for exactly how long. Once the retention time period for a particular data set expires, it can be deleted or moved as historical data to secondary or tertiary storage, depending on the requirements. This way, primary storage stays cleaner and the organisation remains compliant.
Of course it is important to retain historical data for use, but data retention policies really exist to fulfil regulatory requirements. Organisations subject to these kinds of requirements do not have the financial ability to retain all data forever, nor is that even a desirable goal.
Instead, organisations must demonstrate that they selectively retain and delete data according to the specific regulatory requirements of their industry and locale. For instance, personnel records and sensitive financial or medical records may all have different retention periods.
Key GDPR data retention principles:
- Storage Limitation: Personal data must not be stored longer than necessary. Define clear retention periods based on the purpose of data collection.
- Data Minimisation: Only collect the data absolutely essential for your business operations. Avoid excessive data collection to remain compliant.
- Data Accuracy: Ensure personal data remains accurate, current, and reliable throughout its lifecycle.
For example, HR should not retain the CVs of candidates who do not qualify for a job role. The data retention rule has shades of the data minimisation principle which states that the period for storing personal data should be limited to a strict minimum.
Specific exemptions
The GDPR and DPA 2018 specifically set out exemptions where data can be kept for longer than “necessary”. These include keeping data for public interest archiving, scientific or historical research, or statistical purposes. If you are keeping data for any of these purposes, this must be your only purpose for holding data and you cannot later use the data for another purpose particularly, for making decisions that may affect an individual whose data you hold. Further, you cannot hold data “just in case” it might be useful in the future.
Also, under the legislation individuals rights must be protected if you decide to keep the data. If any of the exemptions apply, pseudonymisation may be appropriate in some cases to protect the data. Although, it should be noted that pseudonymisation is not a defence to Art 5 of the GDPR or under the DPA 2018 if data you hold does not fall under one of the specified exemptions. However, akin to the principle under the 1998 Act, if you anonymise the data, you can keep it for as long as you like.
Do you need to define the data retention period?
Most articles within the GDPR will require some form of documentation to show that your organisation is complying with the regulation, and data retention is no different. The documentation must provide details of the processing and activities that outline the data life cycle.
You can easily incorporate a data retention document into your data flow map. Keep in mind that because it is the GDPR, this data retention documentation will only need to show PII.
However, it is not enough to keep a document detailing the data retention period; you must also put it into practice. The regulation does not specify any standard retention period, as it is a function of two principles:
- Storage Limitation: the principle that directly relates to this compliance measure
- Purpose Limitation: this principle relates to the reason for processing, which we will get into later on.
Defining the retention period will require your to understand these two principles and how your organisation will put them into practice.
What should you do with personal data that you no longer need?
Data that you no longer need must be disposed of correctly. Generally, part of the data flow map contains a section showing what happens to data at the end of the information life cycle.
However, data deletion has some alternatives; you could fully anonymize the data or remove all identifiers. But this might cause more hassle than just deleting it. The benefits are that you can keep some form of anonymised data as a tracking tool.
The tracking would be separate from any services or products that require personal data. An example is to use anonymised data when tracking the total number of customers that visited your site over its entire operation.
In short, it is a requirement under the GDPR for the deletion of any personal data your organisation no longer uses; avoid the accumulation of data lakes.
What are the benefits of defining a data retention policy?
Avoiding data lakes and graveyards: a data lake is when the organisation or information system collects unnecessary personal data. The data is excessive because it usually has nothing to do with the business operation or services provided. Keeping a data lake is not allowed under the regulation. Defining a retention period can help eliminate excess data collection. Conversely, the data graveyard, as the name suggests, is a graveyard of inactive personal data. This data usually sits in a storage system without ever being touched. A data retention policy will help you define a time frame for when you should destroy static data.
Saving resources: using the example of data lakes and graveyards from above, this retention policy will ultimately save you time and money. The data retention policy will also improve the information system’s speeds; cleaning the “pipes” of the infrastructure is the best way to improve flow.
Key takeaways & wrap up
In this article, we explored the essentials of a data retention policy:
- A data retention policy states that personal data should only be retained for as long as necessary to fulfil its intended purpose.
- Specific exemptions exist for data retention, such as public interest archiving and scientific research, but these must align with strict guidelines.
- A robust data retention policy helps organisations minimise risks, avoid data accumulation, and save resources.
- Proper data disposal methods, including deletion or anonymisation, are crucial to compliance.
- Organisations should document and enforce their data retention periods as part of their broader GDPR compliance framework.
Implementing a robust data retention policy ensures compliance, enhances operational efficiency, and safeguards personal data effectively.
GDPR data retention - FAQs
How long can personal data be retained under GDPR?
GDPR does not specify a standard retention period. Data should only be kept for as long as necessary to fulfil its original purpose. Organisations must define and document their retention periods.
What happens if personal data is kept longer than necessary?
Keeping data longer than necessary violates GDPR principles, specifically the storage limitation and purpose limitation rules. This could lead to penalties and reputational damage.
What is the difference between data deletion and anonymisation?
Data deletion involves permanently erasing personal data, making it unrecoverable. Anonymisation removes identifiers, allowing the data to be retained without being linked to an individual, but it cannot later be re-identified.
Can data be retained for historical or research purposes under GDPR?
Yes, GDPR allows for exemptions, such as archiving for public interest, scientific research, or statistical purposes. However, strict guidelines apply, and the data must not be used for unrelated purposes.
What is a data retention policy?
A data retention policy outlines how long personal data should be stored, where it is stored, and the methods for securely deleting or archiving it once it is no longer needed.
How should personal data be disposed of under GDPR?
Personal data should be securely deleted or anonymised when it is no longer needed. Methods depend on the type of data but must ensure it cannot be accessed or recovered.
.png)
FAQ
Frequently asked questions
Do I need to connect all my tools and third parties?
We never have access to any of your data, our platform is able to scan each tool and provide recommendations without needing to access any of the data within those tools. There's no need for your dev' team to do anything, there are no security risks, just tell us the tools you use and we will do the rest.
What is the scope of my privacy policy?
Our policies are not just about my website or service. Once set up, our platform will help you map-out internal and external processes, such as HR, finance, and more!
Do I need to replace my current policy for the privacy portal?
We recommend replacing your current policy with our policy, this way you’ll remain compliant as your business changes and as the laws update.
Do I need help filling out my details?
Setting up is easy, just follow the on-screen commands and go through a few short steps to add your tools. You don't need any technical ability, anything you don't know the answer to you can ask us via our live chat or add later.
Why can’t I just use a template and add it to my website myself?
A template will not be applicable to your particular business as there are many things to consider for each tool you use. Also the template will not automatically update when changes happen in your business and when changes to GDPR laws are released. This can leave you vulnerable to breaking GDPR laws.
What if you don’t have the tools and third parties that I have?
We have a huge selection of tools pre-loaded and anything you don't see you can add directly from the platform as well as mapping data for any custom software you may use.
Which plan should I choose?
Our Essential Plan is perfect for people just getting started, small businesses, self-employed people and early stage companies. It allows you to get set up and start making your site GDPR compliant. You can move to our pro plan when you grow and your needs become more complex.
Our Pro Plan is aimed at SMEs and is our most popular plan as it includes everything you'll need such as a cookie banner, multiple languages as well as dedicated support.
Our Agency Plan is aimed at businesses that operate with clients needing GDPR solutions. The plan allows you to onboard clients as well as benefit from the Pro Plan for your own site.
Our Enterprise Plan is our most customisable and inclusive plan aimed at large, corporate businesses. We will essentially build you a bespoke plan with full maintenance support, onboarding classes and full company-wide access.
Feel free to get in touch to discuss our GDPR Compliance Software solution.
How easy is it to set up?
Signing up is super easy. The platform will ask you a few basic questions and then you can add your tools - don't worry if you don't know them all, you can come back and add tools at any point. The platform will then generate you the correct privacy policy based on your information, you can there share it directly on your site. That's it!
What size companies is Privasee aimed at?
Privasee has a plan for smaller companies as well as larger enterprise companies. For companies small to medium you can signup directly. For bigger enterprise companies get in touch with your requirements and our team will build you a bespoke plan.
I already have a privacy policy, do I need Privasee?
You have a legal responsibility to keep your policy up to date with every change in legal requirements for every tool you have. With Privasee you are always covered.