Data retention strategies for GDPR compliance matter, even for North American organizations. The UK and EU’s General Data Protection Regulation (GDPR) has extra territorial reach, meaning it applies to any organization, regardless of location, if that organization offers goods or services to, or monitors the behaviour of individuals in the EU or UK and processes their personal data.
Here are some of the most common questions organizations have about data retention and GDPR compliance:
- How long should different types of personal data be retained?
- What makes an effective data retention policy and schedule?
- What responsibilities do data controllers, processors and sub-processors have for data retention?
In this blog, we dive into these questions and share practical guidance – from determining the lifespan of different types of personal data to creating an effective data retention policy and schedule.
GDPR and data retention
The General Data Protection Regulation (GDPR) has set new standards for the way businesses handle EU personal data, including what type of data is collected and the length of time it is kept. If your organization processes the data of individuals in the EU or European Economic Area (EEA), implementing a robust data retention policy is crucial.
The GDPR’s principles of Storage Limitation, Minimisation, and Accuracy play a vital role in shaping such a policy.
Storage Limitation: Ensure personal data is not retained beyond the necessary time period
Minimisation: Collect only the minimal amount of data required
Accuracy: Maintain accurate, up-to-date, and reliable information
In other words, the processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the specific purposes of the processing. You must only process personal data that is needed for the operations of your business.
The GDPR doesn’t define exactly what ‘no longer than necessary’ means, so how can you judge timeframes?
Necessity is a key factor in an effective data retention timeframe and is determined by your purpose for processing. In other words, your reason for handling and storing personal data will dictate the length of time you keep it.
Storage periods will depend on several elements, such as the industry sector, the type of data processing, and any other regulatory requirements that apply. However, in some circumstances there is a statutory retention. For example, finance records in the UK and EU are generally maintained for 7 years (6 years plus current year), in accordance with the Companies Act.
Under the GDPR, the key requirement for data retention is that the chosen duration must be justified, and this decision must be documented.
The documents you will need to produce:
- A data retention policy – This provides a general overview of the data management practices and is a broad document outlining how the organization manages its data, how long it keeps certain types of data, and the roles and responsibilities of staff
- A data retention schedule – This is also known as a disposal schedule and is a more detailed document, specifying the exact retention period for different classes of records and the action needed to be taken at the end of the retention period
Data retention roles: Controllers, processors and sub-processors
Whether you’re a data controller, processor, or sub-processor, understanding your responsibilities and obligations is essential. It is important to manage data retention in a way that ensures compliance with the General Data Protection Regulation (GDPR) and meets your business needs.
Data controllers
Data controllers determine the purpose of any personal data processed, and the means of processing.
A data controller is primarily responsible for determining the data retention timeframe, as they decide the purposes and means of processing personal data.
If you are the data controller, you must ensure you have a comprehensive data retention policy and schedule in place and communicate this to any data processors or sub-processors you have engaged, such as cloud storage companies or marketing agencies. As a controller, you carry the primary responsibility for complying with data protection laws.
Data processors
Data processors process personal data on behalf of the controller, and sub-processors are third parties engaged by the processor.
Data processors and sub-processors are responsible for processing personal data on behalf of the controller. They must follow the controller’s instructions, including abiding by a data retention timeframe, which should be set out in the contract or data processing agreement. Details should also include what will happen to the personal data once the contract is terminated.
Top 4 data retention challenges and how to solve them
1. Changing regulatory landscape
Data protection laws continue to develop at a rapid pace around the world. Existing EU and UK privacy laws are also frequently updated. Organizations can struggle to keep up with these changes, especially when processing and storing personal data across multiple jurisdictions.
Advice: Keep updated on the latest data protection laws
Seek advice from an experienced Data Protection Officer (DPO) who specializes in EU and UK data protection laws – a dedicated DPO will regularly review and update your data retention policies and schedules and ensure they are compliant with the latest regulations.
Solution – Hire a dedicated Data Protection Officer (DPO)
2. Data subject awareness
Individuals are increasingly aware of their rights and more likely to make a data subject access request (DSAR). This can place a burden on an organization’s data retention framework, as it must be equipped to efficiently locate, retrieve, and respond to a DSAR, providing the requested data within a strict timeframe. Read our DSAR FAQs for more information.
Advice: Proactively prepare for data subject requests
Ensure your organization has a well-documented and tested process for handling Data Subject Access Requests (DSARs). This includes training relevant staff, having clear workflows in place, and knowing where personal data is stored.
Solution – establish a robust DSAR response process
3. Data volume
It can be difficult to manage the vast quantities of data that are collected daily from various digital channels, such as email, social media, websites, and virtual stores. Not to mention paper archive records, which can create a significant challenge for companies to organize.
Advice: Implement data minimisation practices
Only collect what is absolutely necessary. A practical tip is to conduct a data audit. This involves reviewing the types of personal data your organization collects and identifying what is needed. For example, an online store collects customer names, addresses and payment information for order fulfilment. However, the store also collects dates of birth and marital status, which, depending on the types of products sold, could be considered excessive and in breach of the GDPR’s data minimisation principle.
Solution – Conduct a data audit and implement data minimisation practices
4. Over-retention
Without specific rules on timeframes, organizations can often keep information far beyond its intended or necessary retention period. This can increase operational costs for storage, backup and retrieval. There is also the heightened risk of reputational damage if a cyber-attack or breach were to occur, which is a breach of the GDPR’s 5th principle, and can potentially result in regulatory action.
Advice: Avoid keeping information for too long
It is important to have a clear data retention schedule for each type of data. Automated tools can be used to manage the schedule and delete or anonymise data that is no longer needed. Employees also need to be made aware of data retention policies and schedules, so they understand what to do with the data.
Solution – Implement a clear data retention schedule
Best practice tips for data retention
Effective management of personal data can help you to reduce risks and maintain compliance with data protection laws.
Here are some helpful tips for your data retention strategy:
To ensure compliance with the AI Act, organizations need to focus on critical areas such as staff training, robust corporate governance, and strong cybersecurity and data protection measures
- Conduct a data audit
- Only collect data that is necessary for your purposes
- Implement a data retention policy and schedule for each type of data collected
- If data is kept for longer or shorter periods than the retention schedule, the reason for this needs to be documented
- Review processing activities on a regular basis and add new ones to the schedule
- Train staff on policy and schedule requirements, ensuring awareness of the operational requirements before any data is deleted, understanding that deleting data too soon is also considered a breach
- Where there is a recommendation to archive older data, this can be in an electronic format and filed in a separate electronic folder, suitably labeled as holding archive material
- Paper archive records need to be indexed and once retention is met, they should be destroyed safely and securely, using a confidential waste provider or cross cutting shredder
See also the Retention Policy template in our free-to-download GDPR Toolkit
Summary
There are several challenges for businesses when it comes to data retention and GDPR compliance. The key is to understand your organization’s purpose for collecting personal data and align this purpose with the principles of data minimisation, storage limitation and accuracy.
Documentation is essential for GDPR compliance, and a comprehensive data retention policy and schedule are a requirement. However, it is important to remember that effective data management is not just about compliance.
Individuals are more likely to engage with organizations they trust to handle their personal data responsibly. Investing in robust data management practices and having a well-defined data retention schedule is a win-win for both compliance and customer satisfaction.
The DPO Centre has one of the largest teams of Data Protection Officers (DPOs), working globally with over 1,000 organizations across the spectrum of industry sectors, delivering GDPR compliance solutions.
If you need help with your GDPR compliance or you are considering an outsourced data protection solution, please get in touch with our team
For more news and insights about data protection follow The DPO Centre on LinkedIn
____________________________________________________________________________________________________________
In case you missed it…
- EU AI Act Compliance part 4: Essential strategies for North American organizations
- How GDPR territorial scope impacts North American businesses
- Data Privacy Day 2025: Navigating privacy in Canada
____________________________________________________________________________________________________________
Don’t miss out on the latest data protection updates – stay informed with our fortnightly newsletter, The DPIA
