How to write a GDPR data retention policy

How to write a GDPR data retention policy

Under the GDPR Regulation, organizations must have a data retention policy that sets out retention periods and standards for certain categories of data to be applied when certain information is destroyed or deleted.

This policy applies to all business activities, processes, and systems in which an organization conducts business activities and has business or other business relationships with third parties.
The data retention policy should be part of the overall process of documenting the provision of information as required by the GDPR Regulation.

What is a data retention policy?

A data retention policy is a set of guidelines that help organizations monitor how long information must be retained and how it should be discarded when it is no longer needed.

The purpose of the processing of personal data should also be outlined in the policy. This will ensure that you have documented evidence that justifies your retention and disposal periods.

Purpose of the policy

The purpose is to set rules for data retention and liability for their disposal. Once an organization decides to destroy data, the data must be destroyed to an extent commensurate with its value and level of confidentiality. The method of disposal differs and depends on the nature of the document.

The first step is to get a complete picture of exactly what personal data you process, what it is used for, and what regulations apply to your business. The conditions for the processing of personal data may also be affected by an international agreement, code of conduct or standard (e. g., PCI DSS if you process individuals' debit or credit card information).

Similarly, if you intend to comply with ISO/IEC 27001, which describes best practices for information security, you must take these requirements into account.

How long can personal data be kept?

Despite the apparent strictness of the data retention period under the GDPR Regulation, there are no rules on limiting the retention period. Organizations must set and be able to successfully argue data retention periods.

Establishing a deadline should be based on two key factors:
  • purposes of data processing 
  • and any regulatory or legal requirements for their retention

What to do with data after the data retention period

After the retention period, you have two options: delete it or anonymize it. The data retention policy must include a data disposal plan.

Disposal of printed data is relatively simple. Shredding devices from different suppliers with different degrees of confidentiality (PT2, PT3, PT4) can be used to dispose of documents. However, it should be borne in mind that shredding must correspond to the type of sensitivity of the data processed. At the same time, you can also use the services of third parties (companies), which safely dispose of the submitted documents according to protocol.

Data processed in electronic form often leave various traces. These are most often backups and copies that can be found on file servers, databases or e-mails. When disposing of data processed in electronic form, all copies of the data must be removed from the live and backup systems.

Creating a data retention policy can seem like a daunting task. Therefore, do not hesitate to contact us and ask us for help. We can provide you with our template, which you can customize to your liking, or we will develop a policy for you.