Specifically, the GDPR says about personal data retention: “personal data may not be kept in a form which permits identification of data subjects for any longer than necessary for the purposes for which the personal data are processed“. Based on this very generic rule some of data protection authorities have issued guidelines with regard to certain categories of data (e.g. recruitment data or health data).
However, where data protection authorities have not given specific guidance, it will up for companies to make their own risk assessment. This can be quite a daunting task. It means that companies should implement a personal data retention period per purpose for which it processes personal data. So how to determine what is ‘necessary’? Companies will need to ask themselves: what is the shortest personal data retention period my company could implement before it gets into trouble? Beware, the European data protection authorities may ask to provide examples to illustrate!
GDPR consultants often turn red when the topic of how long to store personal data comes up. You will often catch them reciting the mantra of “not longer than necessary” and perhaps one or two examples based on a statutory limitation, HR rule or accounting term. What they often forget to tell you is:
- When to keep personal data
Has your GDPR consultants given you a list of administrative things to fix before you are allowed to start to retain personal data? Think of including the relevant processing in a data inventory, to perform a soul searching data protection impact assessment or to explain yourself in a privacy notice. But did your consultant ever tell you when you should absolutely start to store personal data? Well, there are lots of laws telling you to keep data after you have made a video recording or hired an employee. Knowing when to keep personal data helps you to find out when a certain retention period starts running (and consequently when to destroy it) and prevents you from infringing laws.
- Why to keep personal data
GDPR consultants will tell you when NOT to keep data. That has something to do with principles such as data minimisation, proportionality and purpose limitation. But sometimes there is just a need to store personal data for a litigation or because of health and safety reasons. Did we say reasons? We mean mandatory legal requirements of course. There are often hundreds of legal retention requirements per country that provide you with a good answer as to why you should keep personal data. Hundreds of “purposes” or “legal grounds” ready to be included in your privacy notice.
- How to keep personal data
GDPR consultants will tell you how NOT to keep personal data. A laptop should not be unencrypted, a door should not be open and a closet not unlocked. But how often does one hear a GDPR consultant tell a client that it is smart to store personal data on a redundant file system that allows for immediate access or the fact that the origins of personal data should be verified by means of an e-time stamp. With the coming to age of the online world, legislatures are increasingly demanding higher levels of data quality. Be sure not to miss out on these requirements.
- What personal data to store
GDPR consultants will tell you which personal data NOT to keep in view of a certain purpose. They call this data minimisation or privacy-by-default. It is, however, just as important to know which personal data you are better off storing to comply with legal requirements. Did you know that many health and safety laws do not only allow but also require you to store medical personal data of your employees? Now please don’t go and tell us that you have just thrown these personal data away in the trash…
- How long to store personal data
When was the last time your GDPR consultant told you how long exactly you should store your data? Wait, let us guess, your GDPR consultant told you that there are only 10 retention periods applicable to your company. Well rest assured, in every country you are established there are at least over 50 specific retention periods applicable to your personal data. And we are not only thinking of statutory retention limitations that are “recommendable”. We mean real retention periods relating to bookkeeping, HR, health and safety, environment, contracting etc.