< Back

Share |

Data Retention Policy Checklist

June 2017

The GDPR sets up additional requirements around retention of personal data compared to the Data Protection Directive. Given that breach of these provisions can lead to the imposition of considerable fines, data retention is not simply a matter for IT and administration, but a business consideration with potentially significant financial impact if you don't get it right. This checklist sets out the key issues that a business should consider when implementing a data retention policy.

Data storage

First of all, it is important to have an overview of where personal data is stored in your company. This may include:

  • own servers;
  • third party servers;
  • email accounts;
  • desktops;
  • employee-owned device (BYOD);
  • backup storage; and/or
  • paper files.

General retention periods

Generally personal data should only be retained for as long as necessary. The retention periods can differ based on the type of data processed, the purpose of processing or other factors. Issues to consider include:

  • Whether any legal requirements apply for the retention of any particular data. For example:
    • Trade law;
    • Tax law;
    • Employment law;
    • Administrative law;
    • Regulations regarding certain professions, e.g. medical.
  • In the absence of any legal requirements, personal data may only be retained as long as necessary for the purpose of processing. This means data is to be deleted e.g. when:
    • the data subject has withdrawn consent to processing;
    • a contract has been performed or cannot be performed anymore; or
    • the data is no longer up to date.
  • Has the data subject requested the erasure of data or the restriction of processing?
  • Is the retention still necessary for the original purpose of processing?
  • Exceptions may apply to the processing for historical, statistical or scientific purposes.

During the retention period

  • Establish periodical reviews of data retained.
  • Establish and verify retention periods for data considering the following categories:
    • the requirements of your business;
    • type of personal data;
    • purpose of processing;
    • lawful grounds for processing; and
    • categories of data subjects
  • If precise retention periods cannot be established, identify criteria by which the period can be determined.
  • Establish periodical reviews of data retained.

Expiration of the retention period

After the expiration of the applicable retention period personal data does not necessarily have to be completely erased. It is sufficient to anonymise the data. This may, for example, be achieved by means of:

  • erasure of the unique identifiers which allow the allocation of a data set to a unique person;
  • erasure of single pieces of information that identify the data subject (whether alone or in combination with other pieces of information);
  • separation of personal data from non-identifying information (e.g. an order number from the customer’s name and address); or
  • aggregation of personal data in a way that no allocation to any individual is possible.

In some cases, no action will be required if data cannot be allocated to an identifiable person at the end of the retention period, for example, because:

  • the pool of data has grown so much that personal identification is not possible based on the information retained; or
  • the identifying data has already been deleted.

Information obligations

In addition to other information obligations, in the context of data retention data subjects must be informed of:

  • the retention period;
  • if no fixed retention period can be provided – the criteria used to determine that period; and
  • the new retention period if the purpose of processing has changed after personal data has been obtained.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.