What are the Best Data Retention Policies under GDPR?

Under the existing Data Protection Directive – which will be replaced by the General Data Protection Regulation (GDPR) on May 25 – companies and organisations are not authorized to retain or continue processing personal data for longer than is necessary. The same will be true when the GDPR comes into force. Data controllers must either impose a time limit on how long data can be kept before deletion or schedule periodic reviews to check whether data can still be held and processed.

Even though the basic requirements for data retention are not changing, this does not mean that companies should not take any action. With the GDPR, individuals will have extended rights regarding access to and control of their personal data. Organizations must be ready to meet their requirements to fulfil these extended rights. To accomplish this, it makes sense for companies to audit the data they hold and review their processing and deletion processes.

Why does this make sense?

Once the GDPR is in place, individuals will be able to request copies of all the data related to them that is retained by an organization. This is known as a system access request (SAR). In turn, organizations are legally obliged to respond to each request within one month.The GDPR also institutes an individual’s “right to be forgotten” – to have their data deleted from a group’s systems.

If companies have not audited their data and do not have systems in place to allow efficient searching, it may take an enormous amount of time to find the data and respond to every request. This will mean employees are not performing their other tasks, which would be very inefficient and costly for the group. Auditing, cataloging, and categorizing data will help companies to quickly find data should it be needed, either for their own processing purposes or to fulfill SARs and deletion requests.  Periodic reviews of data and regular deletions will ensure data retention and management is streamlined. The less data that is held, the less time it takes to process SARs, and the lower the costs of retaining and sifting through data.

How long data should be kept?

There are legal and official reasons why personal data must be retained in certain instances. These reasons can even override an individual’s right to be forgotten mentioned above. In all other cases, personal data should only be stored for as long as is necessary to complete the processing, in accordance with the original reason for which the data was collected. For instance, data should no longer be processed if a contract has ended, or if an individual has withdrawn consent. Exceptions may include where employment laws all for certain data to be retained by an employer or data needed for the execution of public services.

Companies should prepare for the GDPR by closely examining the data they are processing, reviewing their retention periods, and deleting data appropriately. Otherwise, they could potentially remove all data from their records which may enable an individual to be identified. Seeing as they must have had a good reason to collect the data in the first place, both from a resource allocation and legal point of view, deleting all data seems like a counter-productive move and will surely impact the business’ ability to function as effectively as possible.

Data auditing and data retention policies are fundamental to a successful GDPR compliance program.