Data Retention Policies under GDPR

by | May 21, 2018

As of this Friday, May 25, the General Data Protection Regulation comes into effect in all European Union (EU) states. Many countries who are not members of the EU remained unconcerned about the requirements of the GDPR.

However, if your company or organization does business with any clients or employees who are EU citizens then the GDPR does indeed affect your business. One of the concerns of businesses and organizations that must comply with these regulations is data retention policy.

What is Data Retention?

Data retention involves decisions about what to keep and what to destroy. In their policies, businesses must give thought to when and in what manner documents will be destroyed and why and how documents will be retained.

Every enterprise that has dealings with or employs EU citizens, anywhere in the world, must be in compliance with GDPR guidelines. These regulations are not just for EU states. The company’s retention policy must be clear, unambiguous, well thought out and wide ranging. Key decisions will be made based on this document. Thus, it must be well crafted and wide ranging enough to cover all present and future data retention decisions.

How are Decisions about what to Retain Made?

Under the new GDPR legislation, a minimum of data retention is advocated. Article 38 states “…the period for which the personal data are stored is limited to a strict minimum…In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review…

This suggests that each company affected by GDPR must rethink how much is stored and for how long. Emphasis seems to be on storing only what you need and only for the original purpose of its collection. Collect only as much data as you need and store it only as long as it is needed for the described task.

In what Form is Data Retained?

The form of retention is another area GDPR guidelines are specific about. The data should be retained in a form and manner that does not identify the data subjects and if it must identify them it does so only as long as is required for the stated task.

How long and why is Data Retained?

Article 39 emphasizes minimization of data and storage. Businesses’ Data Controllers need to re-examine the company’s data retention policies with an eye to how long data should be retained. Crucial to this question is why that data is being kept. If it serves no purpose as outlined in its original collection, then there is no viable reason to retain it.

If data is being retained for purposes not part of the reason for its original collection, then the company might well be subject to GDPR-related fines.

Is there ever a Reason to Retain Data?

There are special circumstances in which companies may be justified in retaining data, even if the data subject requests that it not be retained. Perhaps the data might become valuable or needed in the future.

Three major reasons for keeping data as outlined by GDPR are:

  1. Public interest for example: matters of health or safety
  2. Scientific or historical research purposes
  3. Statistical purposes

Data Becomes Dated

Not all data has the same shelf life. Different types of personal data have varying retention periods. Its original purpose and how fast the data becomes dated are two considerations in data retention. For example: credit card data requires special security and retention methods. Health records may become dated quickly and are something that might be used and not retained.

Where to Store Personal Data Files

Whether your business stores data in-house or outsources storage space, the security of these files must be a paramount concern. Some hard copies will not be able to be stored digitally. Whether the records are digital or hard copies, secure archiving of retained materials is critical.

The more records your company opts to retain, the greater the physical space and the security required. This becomes a budget concern. Who gets access and by what means also becomes a concern.

Implementing a new, solid retention policy will protect your company from the dangers of hacking. A sound retention policy will ensure that your organization does not lose valuable documents. It also protects the data of those whose personal information you have collected and retained.

Another outcome of crafting a retention policy is a rethinking of what data should actually be kept and what data is just filling space. Your retained files become more meaningful. Data protection has always been a concern. GDPR is simply tightening decisions about what is retained, why, and how it is safeguarded.

Related GDRP Articles

GDPR Compliance Checklist


GDPR Requirements

GDPR Summary

GDPR Data Backup Requirements

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy