Share this article on:
All companies that collect or process the personal information of EU residents must ensure they have a compliant GDPR data retention policy, but what should that entail?
GDPR Data Retention Rules
Article 5 explains that when personal data are collected or processed, it must only be for purposes that are “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed.” Those purposes must be clearly explained at the time of collection.
Under GDPR, organizations are required to adhere to the minimization principle, which applies to the amount of personal data stored and the length of time the information is retained.
When data need to be retained, appropriate security controls should be applied to prevent the unauthorized accessing, use, or processing of data and measures should be implemented to prevent accidental loss, destruction, or damage. Efforts must be made to ensure that all data retained remain accurate and are kept up to date and inaccurate data are removed.
GDPR data retention is covered in Article 5(e), which explains that data should only be retained for as long as is required to achieve the purpose for which data were collected and are being processed. The exceptions to this are when data need to be retained “for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.”
Recital 39 of GDPR explains that when data are retained, strict time limits should be established by the data controller to ensure data are not retained for longer than is strictly necessary. The data controller is required to conduct periodic reviews and ensure that data are securely erased when no longer required.
GDPR applies to personal data that could be used to identify an individual. If data are required to be kept for longer, the information should be de-identified to prevent individuals from being identified from the data.
There are good reasons for the rules on data retention. The longer data are kept, the greater the chance that data will become out of date and the harder it becomes to ensure data are accurate. In the event of a data breach, the more data that are stored on individuals, the greater the potential for harm.
Developing a Compliant GDPR Data Retention Policy
You should already have developed a GDPR data retention policy, although if you have yet to do so now is the time to conduct a review of your data retention policies and update them accordingly. Now is also the time to ensure that any personal data of EU residents that are currently stored are deleted if the original purpose for which they have been collected has been achieved.
To help with the creation of a GDPR data retention policy use the checklist below:
GDPR Data Retention Policy Checklist
- Stipulate what data are covered by your policies
- Set strict time limits on how long data are retained
- Cover the methods that should be used to delete physical and digital data
- Ensure it is explained, at the time of collection, how long data will be retained or how the decision will be made to delete data that are no longer required
- Schedule regular reviews of stored data to determine whether the information is still required
- Some types of data may need to be retained for longer than others. This should be detailed in your policy
- It is particularly important to ensure that sensitive data are deleted promptly and are not stored for longer than is strictly necessary – Sensitive data includes sexual orientation, race, beliefs, and health information
- Ensure your policy covers deletion of personal data if an EU resident exercises their right to be forgotten
- Stipulate exceptions to general rules on data retention – federal and state laws, litigation holds etc.
- Make sure that all employees are aware of your GDPR data retention policy.
- A GDPR data retention policy must be documented. It may need to be provided to regulators in the event of an audit or investigation of a complaint.
GDPR Compliance Deadline
The General Data Protection Regulation becomes effective on May 25, 2018, after which severe financial penalties can be issued to companies and individuals who fail to meet the requirements of GDPR. The penalty for non-compliance with GDPR is up to 20 million Euros or 4% of global annual turnover, whichever is the greater.
If you are not yet compliant with GDPR requirements or have yet to start your compliance program, it is unlikely you will be able to comply with all aspects of GDPR ahead of the deadline. It is therefore essential that you have documentation that proves you have at least made an attempt to comply with the requirements of the GDPR and that your efforts are ongoing.