The General Data Protection Regulation (GDPR) sets strict limits on how long personal data can be retained. Understanding these retention periods is crucial for any organization that collects or processes personal data of EU residents.
Quick Answers
Here are some quick answers to common questions about data retention under GDPR:
- The default retention period is no longer than necessary for the purposes for which data was collected.
- Data controllers must establish and document lawful retention schedules.
- Personal data can be stored longer if archived for public interest, scientific, historical research or statistical purposes.
- Sensitive personal data has more restrictions and must be deleted immediately when no longer necessary.
- Data subjects have the right to erasure of personal data in certain circumstances.
The GDPR introduces strict new rules around retaining personal data. It aims to ensure organizations only keep data for as long as necessary and delete it when no longer required. This helps minimize the risk of data breaches and misuse of personal information.
Understanding retention periods is important both for compliance and for respecting the privacy rights of individuals. This article examines the key principles and requirements around data retention under the GDPR.
Default Retention Period
The GDPR does not specify exact time limits for retaining personal data. Instead, it sets a general principle that data must not be kept for longer than necessary.
Article 5(1)(e) states that personal data must be:
“Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
In other words, once the purpose for collecting and using the personal data has been achieved, it should be deleted. Or if the data is no longer needed to fulfill its original purpose, it must also be deleted.
This is the default retention period organizations must comply with under the GDPR.
Establishing Retention Schedules
To comply with this default retention period, organizations must analyze each source of personal data they hold. They need to establish and document appropriate retention schedules based on the purpose of processing.
For example, if personal data is collected for an account signup process, it may only need to be kept while the account is active plus a short period afterwards. Once the account is closed, the personal data should be deleted unless there is another lawful basis for retaining it.
Organizations must also build these retention schedules into their data governance policies and processes. This helps ensure personal data gets deleted automatically at the end of the defined retention period.
Ongoing Review of Schedules
Retention schedules should also be reviewed periodically. If the purpose for processing personal data has changed, the retention period should be updated accordingly.
For example, changing business needs may mean personal data is required for longer than originally anticipated. But the organization must have a lawful justification for extending retention beyond the original schedule.
Lawful Long-Term Retention
In some cases, personal data may lawfully be kept for longer periods. This includes where it is processed strictly for:
- Archiving purposes in the public interest.
- Scientific or historical research purposes.
- Statistical purposes.
There are safeguards around relying on these grounds for long-term retention. The data needs to be stored securely and used only for the stated purpose.
Organizations must also carry out a Data Protection Impact Assessment to assess risks and mitigation measures for retaining data long-term.
Archiving in the Public Interest
Public authorities may retain personal data for archiving purposes if it is in the public interest. For example, public records that document significant historical events or government activities.
There must be appropriate safeguards in place, such as pseudonymization or access controls. The data can only be used for the specific archiving purpose.
Scientific or Historical Research
Universities, libraries, and other research organizations may need to retain personal data for extended periods for scientific or historical research purposes.
Again, there are strict safeguards around relying on this lawful basis. The organization must implement data minimization techniques and limit access only to what is required for the research.
Statistical Purposes
Public authorities and other organizations may retain personal data when necessary solely for statistical purposes. For example, national statistics agencies use census records for socioeconomic analysis and reports.
The necessary safeguards depend on whether the statistics are anonymous aggregate data or still identifiable data. Aggregate data has a lower risk profile and fewer restrictions on retention.
Deletion When No Longer Necessary
Outside of these specific lawful bases for long-term retention, the default is that personal data should be deleted when no longer necessary.
Organizations must assess each source of personal data they hold and apply limited retention schedules.
For example, visitor logs, customer records and other operational data is often only required for short-term processes. It should be purged automatically when no longer relevant under the retention schedule.
Right to Erasure
The GDPR also grants individuals a “right to erasure”. Also known as the right to be forgotten, this allows individuals to request deletion of their personal data in certain circumstances.
If a valid erasure request is received, the organization must delete the data unless there is a lawful exemption. This provides another reason to comply proactively with limited retention schedules.
Deletion Methods
Implementing data retention schedules involves more than just setting an expiry date. Organizations must also use appropriate methods to delete data so it cannot be reconstructed.
The GDPR requires that personal data must be deleted in a way that makes it unrecoverable and inaccessible. Some key methods include:
- Permanent erasure from databases
- Secure data destruction techniques
- Cryptographic erasure of encryption keys
Simply archiving old data or marking it as “deleted” is not sufficient. All copies and backups must also be permanently and irreversibly purged.
Special Category Data
Extra care must be taken when deleting sensitive “special category” personal data such as health records or religious beliefs. This data could pose more significant risks if exposed in a breach scenario.
Secure deletion techniques should be applied to eradicate all traces of sensitive personal data as soon as it is no longer needed. It should not be retained “just in case” without very careful justification.
Records of Deletion
Organizations must maintain records of data deletion to demonstrate compliance with retention schedules. This helps evidence the accountability principle under GDPR.
Records should include what data was deleted, when and how. Some examples include:
- Deletion logs from applications and databases
- Documentation of cryptographic key destruction
- Secure data destruction certificates
- Right to erasure request records
Maintaining an audit trail of deletion provides proof that retention policies are being enforced.
Implementation Tips
Here are some tips for implementing data retention schedules compliant with the GDPR:
- Classify all sources of personal data and document purposes of processing.
- Set default retention periods as short as possible for each data source.
- Configure automatic deletion rules into applications and databases.
- Delete obsolete and unnecessary data now – don’t wait until schedules expire.
- Use auditing and data minimization techniques to identify long-retained data.
- Apply heightened protection and strict access controls to archived data.
- Securely destroy all backups and copies as well as live data.
Non-Compliance Risks
Failing to comply with data retention requirements can lead to significant risks under the GDPR, including:
- Fines – up to 4% of global revenue or €20 million.
- Reputational damage from perceived privacy violations.
- Regulatory investigations and enforcement actions.
- Class action lawsuits from data subjects.
Getting retention schedules right and deleting data properly is crucial for GDPR compliance. It also helps minimize security risks and builds customer trust through responsible data practices.
Conclusion
The GDPR mandates strict limitations on retaining personal data. The default is that data must be deleted when no longer necessary for its original purpose.
Organizations need to analyze each data source, set lawful retention schedules, and implement automatic deletion. Some data may be kept longer for archiving, research or statistical purposes if properly safeguarded.
Proper data retention hygiene minimizes security and compliance risks. It also upholds the privacy rights of individuals under the GDPR.
