The Importance of Data Retention

Many companies overlook one of the most critical aspects of data processing, which is data retention. They often store vast amounts of data without clear awareness of what they’re keeping or why. This data might sit unused, with little consideration for the individuals whose information it comprises. Data subjects are frequently uninformed about their data being stored in potentially vulnerable folders, prone to leaks or loss on the web.

Regrettably, the retention periods for the data companies process are often unregulated and poorly organized. This lack of regulation can lead to ambiguity and inconsistency in how long data is retained, posing risks both to individuals’ privacy and to the companies’ compliance with data protection laws.

On November 10th, 2022, the French Data Protection Authority (Commission Nationale Informatique & Libertés — CNIL) imposed a fine of 800,000 euros on Discord for multiple breaches of the GDPR. One of the infractions involved Discord’s failure to establish and adhere to a suitable data retention period aligned with the intended purpose, as outlined in Article 5.1.e of the GDPR.

Data Retention Policy

As a company, what should you do in order to comply with GDPR, or at least work toward it?

The GDPR does not specify what type of documentation you must have to achieve compliance, but the practice so far has shown that a Retention Policy is the most important document.

The General Data Protection Regulation (GDPR) has established new guidelines for how businesses handle personal data, outlining what information can be collected and for how long it can be retained.

It’s essential to have a strong data retention policy in place, and the principles of the GDPR – Storage Limitation, Minimisation, and Accuracy – are of great importance in shaping such a policy.

Storage Limitation means ensuring that personal data isn’t held for longer than necessary.

Minimisation involves collecting only the bare minimum of required data.

Accuracy mandates maintaining precise, current, and dependable information.

In simpler terms, personal data processing must be appropriate, pertinent, and restricted to what’s essential for the specific purposes at hand. Your business should only handle personal data that’s necessary for its operations.

How long should the data be kept?

The GDPR does not provide a specific duration for which data should be retained, instead it mandates that data should not be held for longer than is necessary. The responsibility falls on each company to determine this period, taking into account any other relevant laws that may apply. For instance, in cases where an organisation holds financial information, the Anti Money Laundering legislation may require that customer financial data be retained for 5 years following the end of the customer relationship.

Therefore, the data retention period should not extend to 5 years after the last interaction with the individual whose data is being stored.

Whether you have some questions regarding the Data Retention Policy or need some assistance with compliance documents, make sure to reach out to us.