The General Data Protection Regulation (GDPR) mandates complex data retention requirements for organizations, such as creating clear retention policies or identifying lawful grounds for retention. Among the key GDPR principles to follow is storage limitation, which requires keeping data only for as long as necessary.
However, understanding the necessity of each data category can vary depending on purpose and context. In this article, we’ll explain how to manage data retention under GDPR to ensure compliance and reduce risk.
What is data retention?
Data retention refers to the practice of storing personal information for a specific time frame to comply with regulatory requirements or business interests. Retention policies specify the data storage duration and when data should be removed to protect user rights and comply with privacy laws. Under the GDPR, data retention refers to how long an organization stores personal user data, such as email addresses or names.
One of the core principles of GDPR is the storage limitation principle. According to GDPR Article 5, this means that:
“Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
Businesses must define how long they’ll keep personal data for and for what purposes. Once the expiry date is reached, the data must be either removed or anonymized.
Why does GDPR data retention matter?
GDPR data retention is important because it ensures that organizations don’t store personal data without justification and helps protect user rights to privacy. Here are the main reasons why it matters:
- Legal compliance. Under GDPR compliance requirements, data must be retained for the shortest time possible.
- Prevents fines. If an organization fails to enforce retention period deadlines, it becomes a violation and may result in large GDPR fines, reaching up to €20 million or 4% of global annual revenue.
- Reduces data breach risk. When organizations don’t store data longer than necessary, there’s a lower risk of a data breach.
- Enhanced user trust. GDPR compliance ensures transparency, resulting in higher consumer trust. According to a report by Cisco, 75% of consumers wouldn’t buy from a company they don’t trust with their personal information.
- Reduces resource costs. Retaining large amounts of data costs businesses resources, which is why it’s better to regularly remove what’s no longer necessary.
How long should GDPR data be kept?
Under the GDPR, data should be stored for the shortest time possible based on the collection purposes. Although some regulations define specific retention periods under certain circumstances, the GDPR doesn’t specify a timeframe. That said, each company should evaluate their reasons for data collection to define the retention period.
GDPR rules for data retention
There are a few GDPR criteria you can follow to understand what retention periods you should set for specific data categories. They include:
- Purpose limitation. Understand that under the GDPR, data should only be collected for as long as it’s needed for the purpose it was collected. For example, if a user unsubscribes from your newsletter, the email address should be deleted instantly because it’s no longer needed for emails.
- Legal requirements. Depending on jurisdiction, some types of data may be required to be retained for specific time periods. For example, the UK’s National Health Service (NHS) recommends keeping medical records for 8 years after the last treatment, while some regulations require keeping tax records for 22 months after the respective year ends.
- Sector-specific guidelines. Data retention recommendations may vary depending on the industry. For instance, telecommunications organizations may be required to keep call data for some months under national security laws.
- Risk assessment. It’s recommended to conduct a GDPR risk assessment, which involves such steps as performing a risk and impact analysis or a Data Protection Impact Assessment (DPIA). It can help evaluate risks of retaining (or deleting) data, helping set proper retention durations.
Consumer rights and data retention
When establishing data retention periods, organizations must take into consideration user rights covered by the GDPR. This includes the right to rectification or erasure, which can be exercised in case of the following:
- The data is no longer needed for the reasons it was collected
- The user withdraws consent (when consent is the lawful basis for processing)
- The organization relies on legitimate interests as a basis for processing and the user objects processing
- The organization is processing data for marketing purposes and the user objects processing
- Unlawful data processing
- Data must be erased to comply with legal rulings
- Processing of a child’s personal data to offer information society services
In such cases, data retention periods don’t apply, and personal data must be deleted after the request. Organizations must respond to user requests within a month, which can be extended by one additional month if the user is informed.
Implementing GDPR data retention requirements
Adopting GDPR data retention involves creating clear procedures for how long an organization keeps data and how it removes it after the expiry date. Let’s review the key requirements organizations should follow:
- Audit and categorize data. Begin by auditing all of the personal data that your company collects. Review what channels it comes from (like third-party integrations), then categorize it. You can use categories like type (such as site financial records and customer data), purpose (advertising, marketing, personalization), and sensitivity level (high sensitivity refers to biometric or genetic data).
- Understand your business needs. When setting retention durations, think of the importance of each data category. For example, take into consideration ongoing customer support or analytics.
- Create a data retention policy. Based on data categories and their purposes, set proper retention durations and record them in one place. This can be employee data being kept several years after termination or marketing data reviewed annually to ensure it’s still relevant.
- Adopt data minimization practices. Create a well-established procedure that would ensure your organization always keeps the minimal data possible. This includes defining data deletion or anonymization processes.
- Regularly review retention periods. Compliance requirements may be changing with time, so you must always ensure that they meet the latest standards.
- Train your staff. Make sure that your employees are familiar with GDPR requirements and understand your organization’s data retention durations.
Useful tools for data retention management
There are some useful tools that you can consider using for managing data retention practices. Here are some suggestions:
- Centralized data management – tools for managing various GDPR compliance areas, like consent, subject rights, risk management, or audit logs.
- Data mapping tools – helps organizations document how data flows through the organization and categorize it.
- Data access control – lets you manage internal access to personal data to prevent unauthorized access.
- Data protection – these are tools that help ensure data is kept securely and in compliance with GDPR, like DPIA, Data encryption and anonymization, breach management, and incident response tools.
- Data backups – ensure that you can restore personal data in case of a data breach or storage device failure, or software error.
- Compliance management – helps monitor and audit personal data usage and retention.
- Consent management platform – ensures you obtain GDPR-compliant user consent for data collection, create cookies with chosen expiry dates, and keep consent records in one place.
Examples of GDPR data retention policies
Many companies create GDPR data retention policies to comply with GDPR. Here are some examples to help you understand what it should look like:
- Microsoft. When a consumer ends the subscription to Microsoft services, the company retains customer data for 90 days in case the user wants to extract the data. After 180 days, the whole account is disabled and all data is deleted.
- Shopify. Shopify only keeps personal data for as long as is necessary for specific purposes, such as providing services, fulfilling obligations, or handling backups.
- Adobe. For Adobe Analytics, the data retention period is 25 months. Users can reduce this period at no extra cost. For extending data retention up to 10 years, users are required to purchase extensions.
- Google. Google data retention periods depend on the data category. Some of it can be removed by the user, while other data is deleted after the set timeframe. They also anonymize advertising data.
Frequently asked questions
Under the GDPR, data retention is closely related to the storage limitation principle. It states that personal user information must be kept for as short of a duration as possible for the purposes for which it was collected.
By storing data indefinitely without proper cause, an organization violates the storage limitation principle of GDPR. It mandates that data can only be retained only for the timeframe necessary for its original purpose.
Personal data can only be archived indefinitely if it’s used for archiving purposes (in the public interest), research (scientific or historical), or statistical reasons. However, such data must be anonymized or pseudonymized.