GDPR Data Retention

As you may know, every company that collects data from EU citizens is subjected to the General Data Protection Regulation (GDPR), and that means that they are required to follow stringent rules while controlling and processing personal data. The rules include, among many other things, data retention. Non-compliance to these rules will result in severe consequences, including heavy fines and reputational damage, which are all detrimental to the organisation. Now, in this article, we will try to figure out what the GDPR regulation says about data retention, and what you can do to ensure that your company remains compliant.

Data retention requirements

Let’s start by saying the definition of personal data under GDPR law is quite broad, given that it protects things like names and addresses, but given that we are in the digital era, it also includes IP addresses, biometric data, and genetic information. But when it comes to the amount of time you should retain this data, the law isn’t specific, leaving it open for the organisations to determine their own timeframes. However, the GDPR law does require the organisation to outline and justify the timeframes prior to collecting the data. Also, according to the law, old and unusable data is considered to be a security risk, which means that keeping it around after the retention period lapses is considered non-compliance with the law. For this reason, organisations are creating and implementing data retention policies so as to ensure that they fulfil this aspect of the GDPR law.

What is a data retention policy?

Basically, the data retention policy outlines the time period specific sensitive data can be retained, plus how it will be disposed of when the time to do so comes. Other than that, the policy states the purpose and importance of collecting the data, as well as the ways in which the data will be processed.

Why is having a data retention policy in place important?

When you put a policy in place that ensures you erase or anonymise personal data when its usefulness ends will most certainly reduce several risks, plus it becoming irrelevant, inaccurate, excessive, or basically out-of-date. Also, with the policy in place, an organisation will be able to comply with the data minimisation and accuracy principles, which will eliminate the scenario that one might use such data in error – which, of course, will be detrimental to everyone concerned. And as per the GDPR law, any personal data held for too long is considered to be unnecessary, not to mention how inefficient it is to hold such data, more so all the unnecessary costs associated with its storage and security. Also, keeping in mind the fact that the GDPR law requires all organisations holding personal data for EU citizens to grant access to the data upon the subject request, it will be extremely difficult to do this if you are holding old and irrelevant data. Lastly, with a clear policy on the erasure of personal data as well as retention periods, an organisation is more likely to minimise the stress of having to deal with queries regarding data retention as well as the request for erasure.

How can one set retention periods?

As we’ve already mentioned, the GDPR law doesn’t specifically state the amount of time an organisation can retain personal data, and it’s all up to it to determine and justify the time it needs based on its purpose for processing. Basically, the organisation is in a better place to judge the period it needs. But how exactly can the organisation set these periods? Well, here are a few things to put into consideration:

  • An organisation must consider the reasons for processing the personal data. What exactly is the purpose? And that way, you will only retain the data as long as the initial purpose applies. So, if the purpose is achieved, you will no longer have a reason to retain the data.
  • The other thing an organisation needs to consider is whether it needs to keep a record of the relationship with the data subject once that relationship comes to an end. If the organisation wants to maintain a record of the relationship, it may need to keep some data as a confirmation.
  • Another thing an organisation ought to consider is whether it would be necessary to retain some data so as to defend itself in possible legal claims in the future. However, even under such circumstances, the organisation should only retain the data that would be relevant to the claim. But if a claim is no longer possible, the organisation should delete the data.
  • Also, an organisation must consider any regulatory or legal requirements. See, there are a number of professional guidelines and legal requirements for keeping specific kinds of records, such as any data required for income tax and audit purposes or health and safety records. When complying with such guidelines and requirements, an organisation can retain personal data for longer than necessary without sabotaging the data retention policy under the GDPR law.
  • Lastly, when setting retention periods, an organisation needs to consider any relevant industry guidelines or standards. For instance, credit reference agencies do retain consumer credit data for a minimum of 6 years. So, when you are in such an industry, you will have a good starting point in determining retention periods. However though, one needs to explain why these periods are justified.

Basically, when setting data retention periods, organisations must take a proportionate approach, where they balance their needs with the impacts of personal data retention on subjects’ privacy. Remember also, that the retention must be lawful and fair at all times.

How can an organisation ensure compliance with data retention policies?

Let’s face it, the massive volume of data organisations possesses may sometimes make it difficult to manage accurately. And remember one thing, these inaccuracies can easily create non-compliance violations, and you definitely don’t want to be on the wrong side of the law. On top of that, managing the data manually can be tedious and time-consuming, which means it may strain your IT staff even further than they already are. So, what can an organisation do to avoid noncompliance? Or better yet, what can they do to guarantee proper data classification? Automated data classification tools will be able to categorise sensitive data as identified in your specific field, based on the regulations it’s subjected to, the sensitivity level, as well as the organisation’s data retention policy.

Having done this, it will now be easier to process the data, more so by the authorised individuals, and when the data is no longer needed, it will be disposed of properly and in accordance with the organisation’s data retention policy. Automation is crucial in the sense that it eliminates the inaccuracies as well as the potential risks from human error, which in turn, streamlines the tough processes that normally inhibit data classification, and later erasure. Now, other than helping in data retention efforts, automating some of these aspects will certainly help when it comes to GDPR compliance in general.     

What happens when data is shared with third parties?

When it comes to data retention and erasure, of course, you have to ask yourself, what happens to the data that you have already shared with third parties? Now, the new GDPR law doesn’t explicitly says what happens in such situations. However, the organisation should agree with the third party on what happens when the data is no longer needed. In many cases, it would be recommended that the third party return the data back to the organisation that supplied it, and then the organisation takes care of erasing the data itself.  In other cases, all the organisations involved should delete the personal data themselves, and since the purposes for the data processing may differ from organisation to organisation, it may be important for the companies to set their own retention period, based on their own needs. After all, as we have said throughout this article, when the data is no longer needed, every organisation involved – and that includes third parties – should erase the data. Remember, even the third parties must be compliant with the GDPR law.

Final thought

In conclusion, personal data should only be kept as long as it is needed. And in that regard, it might be important to establish time limits to either erase or review the data, which is why having a data retention policy in place is important for every organisation within the EU. The only exception an organisation might be allowed to retain the data for longer than necessary is only when it is being held for archiving purposes in the interest of the general public, for legal reasons, or for scientific or historical research. And in doing so, the organisation must always ensure that the data being stored is accurate and always up-to-date.