GDPR Data Retention

The GDPR data retention requirements are broadly similar to those in the Data Protection Directive that General Data Protection Regulation replaces, although there have been some changes made with respect to data retention.

What are the GDPR Data Retention Rules?

Generally speaking, GDPR data retention rules require any personal data that is collected or processed to be kept only for as long as data are required to achieve the purpose for which the information was collected, although there are exceptions – scientific or historical research for example.

Any data controller or data processor should ensure personal information is securely deleted or returned when it is no longer required. Under GDPR, data cannot be kept indefinitely. Recital 39 of the GDPR requires data controllers to establish time limits for data retention and to ensure the erasure of records when they are no longer required.

Under certain circumstances, data may need to be retained for longer time periods, even though the information is no longer required for its original purpose, such as to ensure compliance with federal and state laws or for legal reasons. GDPR does not prohibit this, although the reasons for extended storage of data should be detailed in GDPR policies.

In order for data to be erased, a company must know where all personal data are stored. A data audit should be performed that establishes all locations where data are stored, including on the company’s own servers, third-party servers, desktops, email accounts, employee owned devices, backup locations, and paper files.

The GDPR accountability principle means companies must be able to demonstrate to regulators that they are in compliance with GDPR. Companies should therefore ensure they have a documented policy for data retention.

Your GDPR data retention policy should detail which documents and other forms of data should be retained and what needs to be deleted, returned, or destroyed. You must establish time limits for retaining data, which may differ depending on the type of data collected or processed. During the retention period it is necessary to conduct periodic reviews of all data retained.

Your policy should cover what happens to data at the end of the retention period. You should detail the methods that should be used to destroy or erase data to prevent reconstitution or reconstruction. An alternative to the deletion of data is the removal of all personal identifiers that would allow an individual to be identified. Your policy should cover the data elements that need to be removed to ensure identification is not possible.

Your policy should also cover requests by individuals to be forgotten, and that data must be deleted or returned when a contract ends.

Compliance with GDPRis mandatory from May 25, 2018. Once the deadline passes, heavy fines can be applied for noncompliance. It is therefore important for all data controllers and data processors to develop a GDPR data retention policy and ensure that procedures are put in place to ensure the data of EU citizens is not kept for longer than necessary.