When you think you have seen it all, and mastered all laws and regulations as a true industry specialist… enter the General Data Protection Regulation (GDPR). Nowadays, many consultants and legal experts brand themselves a GDPR specialist. However, knowing all about the GDPR does not mean that a GDPR consultant can tell you what personal data to store, when to start storing them, how long to store your personal data and why you need to store them. Personal data retention is a true art. In this blog we explore the 5 things GDPR experts do not tell you about keeping data under the GDPR.
What does the GDPR say about personal data retention?
The GDPR tells companies never to store personal data longer than necessary for the purpose for which the data have been collected or used. As a result, virtually every minimum retention period relating to a piece of information containing personal data becomes a maximum retention period (read more about minimum vs maximum retention periods). The GDPR and records retention closely relate to each other. Often privacy laws impose on companies that they justify the storage of data and to include an end date for the data life cycle. After the end date lapses personal data will need to be deleted.

Specifically, the GDPR says about personal data retention: “personal data may not be kept in a form which permits identification of data subjects for any longer than necessary for the purposes for which the personal data are processed“. Based on this very generic rule some of data protection authorities have issued guidelines with regard to certain categories of data (e.g. recruitment data or health data). 

However, where data protection authorities have not given specific guidance, it will up for companies to make their own risk assessment. This can be quite a daunting task. It means that companies should implement a personal data retention period per purpose for which it processes personal data. So how to determine what is ‘necessary’? Companies will need to ask themselves: what is the shortest personal data retention period my company could implement before it gets into trouble? Beware, the European data protection authorities may ask to provide examples to illustrate!
The five things consultants don’t tell you about storing data under the GDPR

GDPR consultants often turn red when the topic of how long to store personal data comes up. You will often catch them reciting the mantra of “not longer than necessary” and perhaps one or two examples based on a statutory limitation, HR rule or accounting term. What they often forget to tell you is:

  • When to keep personal data

Has your GDPR consultants given you a list of administrative things to fix before you are allowed to start to retain personal data? Think of including the relevant processing in a data inventory, to perform a soul searching data protection impact assessment or to explain yourself in a privacy notice. But did your consultant ever tell you when you should absolutely start to store personal data? Well, there are lots of laws telling you to keep data after you have made a video recording or hired an employee. Knowing when to keep personal data helps you to find out when a certain retention period starts running (and consequently when to destroy it) and prevents you from infringing laws.

  • Why to keep personal data
GDPR consultants will tell you when NOT to keep data. That has something to do with principles such as data minimisation, proportionality and purpose limitation. But sometimes there is just a need to store personal data for a litigation or because of health and safety reasons. Did we say reasons? We mean mandatory legal requirements of course. There are often hundreds of legal retention requirements per country that provide you with a good answer as to why you should keep personal data. Hundreds of “purposes” or “legal grounds” ready to be included in your privacy notice.
  • How to keep personal data
GDPR consultants will tell you how NOT to keep personal data. A laptop should not be unencrypted, a door should not be open and a closet not unlocked. But how often does one hear a GDPR consultant tell a client that it is smart to store personal data on a redundant file system that allows for immediate access or the fact that the origins of personal data should be verified by means of an e-time stamp. With the coming to age of the online world, legislatures are increasingly demanding higher levels of data quality. Be sure not to miss out on these requirements.
  • What personal data to store

GDPR consultants will tell you which personal data NOT to keep in view of a certain purpose. They call this data minimisation or privacy-by-default. It is, however, just as important to know which personal data you are better off storing to comply with legal requirements. Did you know that many health and safety laws do not only allow but also require you to store medical personal data of your employees? Now please don’t go and tell us that you have just thrown these personal data away in the trash…

  • How long to store personal data
When was the last time your GDPR consultant told you how long exactly you should store your data? Wait, let us guess, your GDPR consultant told you that there are only 10 retention periods applicable to your company. Well rest assured, in every country you are established there are at least over 50 specific retention periods applicable to your personal data. And we are not only thinking of statutory retention limitations that are “recommendable”. We mean real retention periods relating to bookkeeping, HR, health and safety, environment, contracting etc.
Having said this, always cherish your GDPR consultant and don’t forget to give him a regular hug. We make sure we cherish ours. The GDPR is incredibly important and data compliance is undoubtedly key. We wish the GDPR would just have a list of retention periods, but the GDPR does not set any specific retention periods. Instead, the GDPR urges your company to determine how long it really needs personal data for a specific business process. And set the personal data retention period there. Don’t blame your GDPR consultant, mastering personal data retention under the GDPR is just as tough for them as it is for your company. There are just too many retention laws in the world. So let’s team up, it’s what we are here for!
filerskeepers helps companies decide which retention period to choose per system or document category.  We do this by providing our customers with insight into the legal maximum and minimum retention periods applicable in the countries relevant to them. This helps companies to justify why they are storing personal data (for example: “for compliance with income tax rules”) and for how long (for example: “for 10 years from the date following the end of the book year”).