Under the General Data Protection Regulation (GDPR), businesses must navigate complex requirements for processing personal data, including establishing clear policies on data retention. The core principle is to retain personal data for no longer than necessary, balancing legal compliance with operational efficiency. This article offers a detailed guide on GDPR data retention, covering best practices, criteria for determining retention periods, and how CookieYes can simplify compliance through effective tools and technologies.
What is data retention?
Data retention is the practice of storing personal data for a specific period to meet legal, regulatory, or business needs. Under GDPR, it refers to the duration that an organisation keeps personal data, such as names, email addresses, or financial information. Retention policies define how long data is stored and when it should be deleted or anonymised to comply with privacy laws and protect individuals’ rights.
Why is data retention important?
Data retention is important for several reasons:
- Compliance: Ensures organisations meet legal and regulatory requirements for storing data, avoiding penalties.
- Operational efficiency: Supports business functions like customer service, contracts, and dispute resolution.
- Risk management: Retaining data less than necessary, especially sensitive personal data, reduces the risk of data breaches.
- Cost control: Lowers storage costs by eliminating unnecessary data.
- Customer trust: Builds trust by demonstrating a commitment to data privacy and protection.
- Legal risk: Failing to meet data retention requirements could lead to legal risks such as GDPR fines and other stringent actions.
Clear data retention policies help businesses comply with GDPR while protecting personal data and maintaining efficient operations.
How long should data be kept under GDPR?
GDPR emphasises the “storage limitation” principle in Article 5, which mandates that personal data must not be kept longer than necessary for the purposes for which it was processed. While the regulation does not specify exact time limits, it provides a framework within which businesses must operate. This involves considering various factors such as legal obligations, the specific purposes of data collection, legitimate interests, and operational needs.
Minimum and maximum retention periods
While the GDPR does not specify exact retention periods, it requires data controllers to establish retention periods based on the specific purpose of data processing. Here’s how this can be structured:
- Purpose limitation: Personal data should be kept only for as long as necessary to fulfil the purpose for which it was collected. For example, if data is collected to provide a service, it should be deleted once the service is completed unless there is a lawful basis for retaining it longer. For instance, customer support data may need to be kept longer to handle refunds, returns, or warranty claims.
- Exceptions for retention: Some scenarios allow for data to be retained for extended periods, such as for archiving purposes in the public interest, scientific or historical research, or statistical analysis. However, safeguards like anonymisation or encryption must be applied to protect data subjects’ rights and ensure compliance with GDPR principles.
- Legal and regulatory requirements: Certain data types, such as financial data, employment records, or data required by the Data Protection Act (DPA), may have statutory retention periods that vary by jurisdiction. For example, employment records may need to be kept for up to 7 years in some countries to comply with labour laws, while data processors in Europe may need to retain records of data breaches for specific periods as mandated by supervisory authorities.
Criteria for determining retention periods
When determining data retention periods, businesses must consider several key criteria:
- Legal requirements: Certain types of data have statutory retention periods mandated by laws across different jurisdictions. For example, tax records may need to be kept for 6–7 years under various national laws, while financial records might need to be retained for longer durations for audit purposes. Compliance with these requirements is essential to avoid penalties and ensure data privacy.
- Purpose of data processing: Retention should directly correlate with the specific purpose of data processing. For example, data collected for marketing purposes should be periodically reviewed for relevance. If the data is no longer necessary, it should be erased or anonymised. Similarly, sensitive data such as health records or data related to legal claims must be carefully managed to comply with GDPR requirements.
- Industry standards and guidelines: Different industries have specific guidelines that influence retention practices. For example, the financial sector might require credit data retention for up to 6 years, while the healthcare sector may have different standards. Aligning with these guidelines is crucial to maintaining compliance and protecting legitimate interests.
- Risk assessment and impact analysis: Conducting a risk assessment to evaluate the potential impact of retaining or deleting data can help determine appropriate retention periods. This includes assessing the risks of non-compliance, data breaches, or other threats to data privacy.
Implementing GDPR-compliant data retention policies
To comply with GDPR, businesses must develop and maintain robust data retention policies that outline retention periods, review processes, and procedures for data deletion or anonymisation when data is no longer needed. These policies should be comprehensive and tailored to the specific needs and risks of the organisation.
Steps to establish data retention timelines
- Conduct a data inventory: Start by auditing all personal data held by the organisation. Categorise the data by type (e.g. customer data, employee data), purpose (e.g. marketing, service provision), sensitivity (e.g. sensitive data like health records), and retention needs. This helps in determining relevant retention periods and ensures compliance with GDPR’s storage limitation principle.
- Define clear retention periods: Establish retention periods for different categories of data based on their purpose and applicable legal requirements. For example, employment records may need to be kept for several years after an employee leaves, while marketing data should be reviewed periodically for relevance. Make sure to document these periods in a retention schedule that is easily accessible and understandable by all employees.
- Regularly review and update retention schedules: Retention schedules should be reviewed and updated regularly to reflect changes in legal requirements, industry guidelines, or organisational needs. Automated tools can help flag data for review or deletion when it reaches the end of its retention period. This ensures that data is not kept longer than necessary and that the organisation remains compliant with GDPR.
- Implement data minimisation and erasure protocols: Develop clear protocols for minimising the amount of data retained and for securely erasing or anonymising data once it is no longer needed. This may involve using advanced encryption techniques, secure deletion tools, or other technologies to ensure data is properly handled.
- Train employees and raise awareness: Ensure that all employees are aware of the organisation’s data retention policies and understand their role in maintaining compliance. Regular training sessions and updates on GDPR requirements can help foster a culture of data privacy and compliance within the organisation.
Tools and technologies to manage data retention
Effective data retention management requires tools, technologies, and processes:
- Data organisation and classification: Systems that sort and label data to make it easier to manage and keep only what’s needed.
- Data encryption: Tools that protect data by making it unreadable to unauthorised people, keeping it safe for as long as needed.
- Automatic data deletion: Tools that automatically remove data when it’s no longer needed.
- Data backup and archival: Solutions that store data securely for a long time, with rules for how long it should be kept.
- Centralised data management: Platforms that allow you to set and control data retention rules across different storage systems.
- Data access control: Systems that ensure only authorised people can access or change data.
- Compliance management: Tools that help meet legal rules by tracking data usage and retention and providing records for audits.
- Cloud storage and deletion: Cloud services with built-in settings to keep or delete data based on rules.
- Data monitoring: Tools that watch how data is used to help decide what to keep or delete.
- Data protection: Tools that hide or change personal data to protect privacy while keeping the data needed.
CookieYes helps businesses comply with data retention laws like GDPR and CCPA by automating cookie consent management and record-keeping. It enables:
- Cookie consent collection: Automatically gather user consent through customisable cookie banners.
- Auto-blocks third-party tracking: Ensure that user data is not collected or tracked without consent.
- Cookie expiry settings: Set expiration periods for cookies, ensuring data isn’t retained longer than necessary.
- Consent log: Maintain a detailed record of user consent, providing a clear audit trail for compliance.
- Privacy policy generator: Easily create and update privacy policies in line with GDPR requirements.
GDPR data retention policy examples
Here are some examples of top companies’ data retention policies:
Google retains data based on its purpose. Some data, such as user activity, can be deleted by the user at any time. Other data, like certain browsing information, is automatically deleted after a set period (e.g. browser width data is kept for nine months). For regulatory, security, and business reasons, some data is retained longer, such as financial records required for tax compliance. Google also anonymises or pseudonymises data after certain periods to protect user privacy. The deletion process, designed to ensure complete data removal, generally takes around two months, with up to six months for backup storage.
Netflix
Netflix retains personal information, such as device identifiers, email addresses, and encrypted payment details, as required by law and for business purposes like billing and account management. Data is stored for as long as needed to fulfil these purposes or until the user deletes their account. Even if users delete specific data, like payment methods, Netflix keeps an encrypted and hashed version for verification. Users can request the deletion of specific information, such as their email address or date of birth, by contacting Netflix directly.
Spotify
Spotify keeps personal data for as long as necessary to provide its services, manage user accounts, and comply with legal obligations. If a user deletes their account, Spotify retains the data for a limited time to allow for account recovery before it is permanently deleted. Some anonymised data may be kept longer for analytics and business planning. Retention periods are determined by the type of data and its purpose, ensuring compliance with GDPR requirements.
X (formerly Twitter)
X retains user profile information and public content for the account’s existence. Other personal data is generally retained for up to 18 months. If an account is suspended, X may retain identifiers like email addresses or phone numbers indefinitely to prevent repeat offenders’ creation of new accounts. Some data may also be retained longer to meet legal requirements and ensure platform security. Deleted content may remain accessible on third-party sites or search engines beyond X’s control.
Streamlining GDPR data retention compliance
Effective data retention management is essential for GDPR compliance. By establishing clear retention policies, conducting regular reviews, and leveraging tools like CookieYes, businesses can meet their legal obligations while minimising the risks associated with unnecessary data retention. The right approach safeguards personal data, enhances operational efficiency, protects against data breaches, and fosters trust with customers.
FAQ on GDPR data retention
The retention period for data is the length of time personal data is stored by an organisation. Under the GDPR, there is no specific retention period prescribed; instead, data must be kept no longer than necessary to fulfil the purposes for which it was collected. The retention period depends on various factors, including legal obligations, the purpose of data processing, industry standards, and business needs. Organisations must define appropriate retention periods, regularly review them, and ensure they comply with the GDPR’s “storage limitation” principle.
The “storage limitation” principle in GDPR, outlined in Article 5, requires that personal data must not be kept longer than necessary for the purposes for which it was processed. This means organisations should establish retention periods that are appropriate to the purpose of data collection and processing and should regularly review and update these periods. The principle aims to protect data subjects’ rights by minimising the risk of misuse, unauthorised access, or data breaches, ensuring that personal data is not stored indefinitely without justification.
GDPR does not require personal data to be stored in the EU, but it does set stringent rules for transferring personal data outside the European Economic Area (EEA). If personal data is transferred to a country outside the EU/EEA, it must be protected with adequate safeguards or adequacy decisions by the European Commission. The goal is to ensure that data subjects’ rights are upheld and data is protected to the same standard as within the EU, regardless of where it is stored.