How to Create a GDPR Data Retention Policy

GDPR is a regulation created by the European Union (EU) to protect the personal and private data of citizens of the EU and the European Economic Area and to establish a standard for data security laws across Europe.

GDPR defines personal data under Article 4 as “any information relating to an identified or identifiable natural person (‘data subject’).” It goes on to clarify that:

“An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

GDPR non-compliance can mean stiff fines on data controllers — that is, any organization that processes personal data. GDPR assesses the severity of each infraction using the following 10 criteria:

• The nature of the infringement
• Whether the infringement was intentional or negligent
• Whether the firm took any actions to mitigate damage to data subjects
• Whether the firm took preventative measures against non-compliance
• Prior infringements, both under GDPR and the Data Protection Directive
• How cooperative the firm is with the relevant supervisory authority
• The types of data affected by the infringement
• Whether the firm proactively reported the infringement to relevant supervisory authority
• Whether the firm has adhered to approved codes of conduct
• Any other aggravating or mitigating factors

Depending on the findings of the relevant supervisory authority, organizations could be fined up to €10 million or 2% of the worldwide annual revenue of the prior financial year (whichever is higher) for a lower-level infraction, and up to €20 million or 4% of the worldwide annual revenue of the prior financial year (again, whichever is higher) for an upper-level infraction. Since GDPR’s implementation, 347 different organizations have been fined a total of €175,944,866; Google has received the largest fine to date for a total of €50 million.

As you can clearly see, GDPR compliance is not something to be taken lightly, making it all the more important for businesses to be mindful of how they approach data retention.

GDPR includes a few specific requirements related to how businesses and other organizations can process data, how long they can store it for and how it should be disposed of at the end of the designated retention period.

How Data Should be Processed

When we talk about data processing as it pertains to GDPR, we’re referring to a “wide range of operations performed on personal data” including collection, recording, storage, alteration, retrieval and so on. Some common examples of data processing include storing IP addresses, sending promotional emails and video recording.

To that end, Article 5 of GDPR stipulates that personal data shall be “processed lawfully, fairly and in a transparent manner”; “adequate, relevant and limited to what is necessary”; “accurate and, where necessary, kept up to date”; and, perhaps most importantly, “processed in a manner that ensures appropriate security of the personal data.”

How Long You Can Store Data

Although GDPR does not specify retention periods for personal data, it does state that it shall be “kept in a form which permits identification of data subjects for no longer than is necessary.” Rule of thumb dictates that you store personal data only if you have a legitimate use for it and, even then, only for as long as you actually need it. Be mindful to periodically review any personal data you hold and dispose of data when you no longer need it; this will reduce your exposure to potential data breaches or other security threats.

It’s worth noting that there is an exception to GDPR’s guidelines regarding data retention. It’s possible to retain personal data for longer periods of time if that data is archived pursuant to public interest, scientific or historical research or statistical purposes.

How to Properly Dispose of Data

One of the key protections outlined under GDPR is a data subject’s right to erasure. According to Article 17, this refers to the data subject’s “right to obtain from the controller the erasure of personal data concerning him or her without undue delay.”

The data subject reserves the right to be forgotten if:

• Their persona data is no longer necessary to the purposes for which it was collected or processed
• They withdraw consent
• They object to the processing
• They believe their data to have been unlawfully processed
• Their personal data must be erased for legal compliance purposes

Whether you intend to dispose of data due to a right to erasure request or simply because your organization no longer has a need for it, it’s imperative that you do so in a GDPR-sanctioned way. At present, GDPR allows for two methods of disposal: deletion and anonymization. Should you choose to delete data, be sure to erase all digital and hard copies; on the digital side, this should involve combing through forgotten file servers and databases, as well as live and backup systems, to eliminate all traces.

According to Recital 26 of GDPR, anonymized data is “data rendered anonymous in such a way that the data subject is not or no longer identifiable.” Anonymization is not to be confused with pseudonymization, which describes “the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.” Although both anonymization and pseudonymization involves masking personal data, pseudonymization can be reversed and is, therefore, insufficient for disposal purposes. Should you choose to anonymize rather than delete personal data, GDPR permits you to hold onto that data for as long as you’d like.

A data retention policy, also known as a record retention policy, is an organization’s established protocol for maintaining information. The primary purpose of a data retention policy is to ensure proper data management in accordance with relevant legal statutes and regulations; GDPR is one such regulation. Ultimately, data retention policies are essential to mitigating potential business risk in the form of fines, penalties or reputational damage as a direct result of non-compliance.

For more information on data retention policies, including best practices for establishing your own policies, we recommend reading our blog post on the subject.

In order to remain GDPR-compliant, it’s important that you implement and enforce a data retention policy that specifies the purpose for processing personal data, establishes a legal basis for processing personal data and provides a detailed record of all processing activities. Your GDPR data retention policy should also define retention times for different types of personal data and specify how data will be stored and secured in order to prevent potential exposure. It should go without saying that you should enlist legal counsel when defining data retention policies to ensure that your organization is within good legal standing.

In addition to establishing a strong retention policy (or policies, as the case may be), the best way to remain GDPR-compliant is by investing in a comprehensive archiving solution.

Intradyn’s all-in-one archiving solution is ideally suited for ensuring legal and regulatory compliance across all industries and lines of business. Securely store and rapidly retrieve emails, text messages, social media communications and more with our easy-to-use, unified solution. To learn more about Intradyn and how we can help you comply with GDPR and other key regulations, contact us today.

Download our Data Retention Policy Template