Aug 12, 2021 | Blog

GDPR and Data Retention

Howard Freeman

Howard Freeman

Data Protection Law has changed in the United Kingdom as we have now left the European Union.

The General Data Protection Regulation (GDPR) requires organisations to create a GDPR and data retention policy’s schedule. Its purpose is to help them manage the way they handle personal information. You must not keep sensitive data for longer than necessary. This applies even if it’s being held securely and not being processed. You may still be violating the Regulation’s requirements. This might sound tough but there’s a good reason for it. In this article, we explain why and how data retention policies work

GDPR and Data Retention Policy
A data retention policy is a set of guidelines to help organisations understand how long they retain data.

What is a Data Retention Policy?

A data retention policy is a set of guidelines to help organisations understand how long they retain data.

The policy should also outline the purpose for processing the personal data. This ensures that you have documented proof that justifies your data retention and disposal periods.


Your organisation doesn’t want to get rid of data. Why ,Because it costs practically nothing to store customer details, but keeping it unnecessarily exposes it to risk. We are naturally hordes. This is dangerous in the world of data.

A breach could spell disaster. Whether an internal error or an attack the consequences could be severe.

So, to limit the damage that data breaches can cause, regulators mandated that EU-based organisations must retain personal data only if there’s a legitimate reason for keeping it.

How long should data be kept?

Despite the apparent strictness of the GDPR’s data retention periods, there are no rules on storage limitation.

Organisations can instead set their own deadlines based on whatever grounds they see fit. The only requirement is that the organisation must document and justify why it has set the timeframe it has.

You must base your decision on two key factors. The purpose for processing the data and any regulatory or legal requirements for retaining it.

Personal data must not be held for longer than is necessary. You must not keep it if you think you might need it in the future. As long as one of your purposes still applies, you can continue to store the data.

You should also consider your legal and regulatory requirements to retain data. For example, when the data is subject to tax and audits. Perhaps the data has to comply with defined standards, there will be data retention guidelines you must follow. You must document this.


You must plan how your data will be used. If it will be needed for future use then a data flow map should be created. This process is also helpful when it comes to locating data and removing it once your retention period expires.

There are two ways you can avoid data retention deadlines. The first is by anonymising data.

If your data is anonymised, the GDPR allows you to keep it for as long as you want. You should be careful when doing this, however. If the data exists elsewhere in your business and it can be used to identify the individual, then it is not adequately anonymised.

You can also circumvent data retention deadline if required. You can do this if the information is being kept for the purposes of archiving. This might be in the public interest, scientific or for historical research purposes. It may also be for statistical purposes. In these cases you can retain it. However, you must document your reasons for doing so.

Old Data – can I keep it?

You have two options when the deadline for data retention expires. Delete the data or anonymise it.

When taking the deletion option, it is vital that you ensure that you delete all the data. To do this, you must have understood where all your data exists. Is it a digital file, hard copy or both? Your Data Asset Register should help you here. If you don’t know then you are not complying with the regulation.

It is very easy to erase hard copy data. However, digital data often leaves a trace and copies may reside in forgotten file servers and databases. To comply with the GDPR, you will need to put the data ‘beyond use’. All copies of the data must be removed from live and back-up systems.

Creating a Data Retention Policy

Your data retention policy should be part of your overall information security documentation process.

The first step is to gain a full picture of exactly what data you’re processing. You should then establish what your legal bases for processing is. It is important you also discover regulations that may impact your business. For example, if you process individuals’ debit or credit card information, you may be subject to the PCI DSS (Payment Card Industry Data Security Standard).

Similarly, if you intend to comply with ISO 27001, the international standard that describes best practice for information security, you must take note of its requirements.

Such compliance requirements dictate the information that will be in your policy. They then dictate the rules it must follow.

Putting together a GDPR and data retention policy is not easy. If you need help please call us on 03333 22 1011 or contact us here.


Can we help?