The Importance of Data Retention (Updated 2025)

Many companies overlook one of the most critical aspects of data processing: data retention. They often store vast amounts of data without clear awareness of what they’re keeping or why. This data might sit unused, with little consideration for the individuals whose information it comprises. Data subjects are often unaware that their data is stored in potentially vulnerable folders, which are prone to leaks or loss on the web.

Key Takeaways

1. Lack of Clear Retention Policies Poses Legal Risks
Many companies store personal data without defined retention periods, which can lead to non-compliance with GDPR and significant penalties, as seen in the €800,000 fine imposed on Discord by CNIL.

2. GDPR Emphasises Purpose-Driven Data Retention
Under Article 5.1.e of the GDPR, data must be kept only as long as necessary for the purpose for which it was collected. Organisations must actively define and document these timeframes.

3. A Formal Data Retention Policy is Crucial for Compliance
While GDPR doesn’t mandate a specific document, best practices indicate that a written and implemented data retention policy is essential for demonstrating accountability and ensuring legal compliance.

Regrettably, the retention periods for the data companies’ processes are often unregulated and poorly organised. This lack of regulation can lead to ambiguity and inconsistency in how long data is retained, posing risks to both individuals’ privacy and companies’ compliance with data protection laws.

On November 10th, 2022, the French Data Protection Authority (Commission Nationale Informatique & Libertés – CNIL) imposed a fine of 800,000 euros on Discord for multiple breaches of the GDPR. One of the infractions involved Discord’s failure to establish and adhere to a suitable data retention period aligned with the intended purpose, as outlined in Article 5.1.e of the GDPR.

Data Retention Policy

As a company, what should you do to comply with GDPR, or at least work toward it?
The GDPR does not specify what type of documentation you must have to achieve compliance, but the practice so far has shown that a Retention Policy is the most important document.

The General Data Protection Regulation (GDPR) has established new guidelines for how businesses handle personal data, outlining what information can be collected and for how long it can be retained.

It’s essential to have a strong data retention policy in place, and the principles of the GDPR, Storage Limitation, Minimisation, and Accuracy, are of great importance in shaping such a policy.

• Storage Limitation means ensuring that personal data isn’t held for longer than necessary.
• Minimisation involves collecting only the bare minimum of required data.
• Accuracy mandates maintaining precise, current, and dependable information.

In simpler terms, personal data processing must be appropriate, pertinent, and restricted to what’s essential for the specific purposes at hand. Your business should only handle personal data that’s necessary for its operations.

How long should the data be kept?

The GDPR does not specify a specific duration for which data should be retained; instead, it requires that data be held for no longer than is necessary for the purpose for which it was collected. The responsibility falls on each company to determine this period, taking into account any other relevant laws that may apply. For instance, in cases where an organisation holds financial information, the Anti-Money Laundering legislation may require that customer financial data be retained for five years following the end of the customer relationship.

Therefore, the data retention period should not extend to 5 years after the last interaction with the individual whose data is being stored.

Whether you have some questions regarding the Data Retention Policy or need some assistance with compliance documents, make sure to reach out to us.

Frequently Asked Questions (FAQs)

1. What is the purpose of a data retention policy?
A data retention policy helps organisations determine how long they need to keep personal data and when it should be safely deleted, ensuring compliance with legal and regulatory requirements.

2. Is it mandatory to have a written data retention policy under GDPR?
While the GDPR doesn’t explicitly require a written retention policy, having one is strongly recommended as it demonstrates accountability and helps meet compliance obligations.

3. Can we keep data indefinitely if it’s stored securely?
No. Even if data is stored securely, the GDPR requires that it be retained only as long as necessary for the purpose for which it was collected. Indefinite storage is generally not permitted.

4. How do we determine the appropriate data retention period?
Organisations must consider the original purpose of the data collection, relevant legal or contractual obligations, industry standards, and risk factors to define a justifiable retention period.

Whether you have some questions regarding the Data Retention Policy or need some assistance with compliance documents, make sure to reach out to us.