Do Companies Need a GDPR Data Retention Policy?


Organizations that are collecting or processing the personal information of people living in the European Union must revise their retention policy to make it GDPR compliant. What does this involve?

Each time personal data is collected or processed, the purpose should be plainly stated to the data subject at the moment of collection. Additionally, the collected information should be adequate, relevant, and restricted to what is required in connection with the reasons for which the data are processed (Article 5). The GDPR follows a a minimization principle with regards to the volume and retention time of the personal data that is to be stored.

Data retention, as per Article 5(e), should be retained only for as long as needed to accomplish the objective why the information was collected or processed. There are exclusions to this rule, for instance, when the retention of data is required for statistics, historical or scientific research or any other interest of the public.

Recital 39 of the GDPR necessitates data control to set tight time limits. Data should not be stored a bit longer than is required. The data controller is responsible for reviewing data regularly to ensure the secure deletion of data when not needed any longer. In case longer data retention is needed, the data should be de-identified making sure that it is not possible to use it to identify a person.

Retention of data likewise calls for security controls that stop unauthorized data access and use. There ought to be security measures that stop accidental loss or damage of data. All stored data should be kept accurate and updated.

Data retention rules are essential because when data is retained for a long time, it becomes outdated or inaccurate. Furthermore, when a breach occurs, the data subject can suffer more harm with more information in retention.

Since the GDPR was enforced on May 25, 2018, non-compliance can be seriously penalized. Financial penalty can be as high as 20 million Euros or 4% of yearly global income. If a company lacks a GDPR-compliant data retention policy, it needs to create one particularly if it retains the personal information of any resident in the EU. Refer to the checklist below when you develop a GDPR data retention policy.

  • Determine the information included in your policies
  • Establish tight time restrictions on data retention
  • Evaluate the strategies used for removal of physical and digital data
  • Be sure there is a system that explains at the time of data collection how long it will be retained and how it will be deleted if no longer needed
  • Schedule regular evaluation of stored data to see if any data is still necessary
  • List in your policy the kinds of data that may require retention for a longer period
  • Sensitive information for instance race, sexual orientation, beliefs, and medical data should be deleted immediately when not needed
  • State in your policy the deletion of personal information if an EU resident requested to exercise his right to be forgotten
  • State exclusions to the data retention general rules if there is any, for instance litigation holds, federal and state laws, etc.
  • All employees ought to know your GDPR data retention policy
  • Have a proper recording of your GDPR data retention policy in the event that regulators would need them for audit or investigation of a complaint