Type your text, and hit enter to search:
Close This site uses cookies. If you continue to use the site you agree to this. For more details please see our cookies policy.

Data Retention Policy

What is a data retention policy?

A data retention policy is a set of guidelines that helps organisations keep track of how long information must be kept and how to dispose of the information when it’s no longer needed.

The policy should also outline the purpose for processing the personal data. This ensures that you have documented proof of your justification for your data retention periods.

Under the GDPR (General Data Protection Regulation), organisations must be vigilant about how long they retain personal information. If you keep sensitive data for too long – even if it’s being held securely and not being misused – you may still be violating the Regulation’s requirements.

What does GDPR say about data retention?

Despite the apparent strictness of its data retention rules, the GDPR offers a great deal of leniency for organisations, providing no set timeframes for how long data can be retained.

They can instead set their own deadlines based on whatever grounds they see fit. The only requirement is that the organisation must document and justify why it has set the timeframe it has.

The decision should be based on two key factors: the purpose for processing the data, and any legal or regulatory requirements for retaining it.

Data should not be held for longer than is needed and shouldn’t be kept ‘just in case’ you have a need for it in the future.

As long as one of your purposes still applies, you can continue to store the data.

Legal and regulatory requirements should also be acknowledged, because you may need to keep hold of data for reasons such as tax and audits, or to comply with defined standards and guidelines.

What to do with data past the retention period

You have two options when the deadline for data retention expires: delete it or anonymise it.

Deleting data

If you opt to delete the data, you must ensure all copies have been discarded. In order to do this, you will need find out where the data is stored. Is it a digital file, hard copy or both?

It’s easy to erase hard copy data, but digital data often leaves a trace and copies may reside in forgotten file servers and databases.

To comply with the Regulation, you will need to put the data ‘beyond use’. All copies of the data should be removed from live and back-up systems.

Anonymised data

If that data is anonymised, however, the Regulation allows it to be kept for as long as an organisation wants.

This means that the information cannot be connected to an identifiable data subject. If the data can be used alongside other information the organisation holds to clearly identify an individual, then it is not adequately anonymised.

Personal data can be retained for longer periods without being anonymised if the data is being kept for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Version 1 29th June 2021


Planning your Visit