We wish it was that easy. The General Data Protection Regulation (GDPR) does not set any specific retention period. Instead, the General Data Protection Regulation (GDPR) urges your company to determine how long it really needs personal data for a specific business process. And set the data retention period there.
To be precise, the General Data Protection Regulation (GDPR) says about data retention: “personal data may not be kept in a form which permits identification of data subjects for any longer than necessary for the purposes for which the personal data are processed“. That is quite a daunting task. It means that your company should implement a data retention period per purpose for which it processes personal data. How can your company can determine what is ‘necessary’? Ask yourself: what is the shortest data retention period your company could implement before it gets into trouble? Beware, the European data protection authorities will ask you to provide examples to illustrate!