Privacy laws and data retention closely relate to each other. Often privacy laws impose on companies that they justify the storage of data and to include an end date for the data life cycle. After the end date lapses personal data will need to get deleted.
Specifically, the GDPR says about data retention: “personal data may not be kept in a form which permits identification of data subjects for any longer than necessary for the purposes for which the personal data are processed“.
Based on this very generic rule quite some data protection authorities have issued guidelines with regard to certain categories of data (e.g. recruitment data or health data). Where data protection authorities have issued such guidelines we include them in our retention schedules.
However, where data protection authorities have not given specific guidance, it will up for companies to make their own risk assessment. This can be quite a daunting task. It means that companies should implement a data retention period per purpose for which it processes personal data. So how to determine what is ‘necessary’? Companies will need to ask themselves: what is the shortest data retention period my company could implement before it gets into trouble? Beware, the European data protection authorities may ask to provide examples to illustrate!
And this exactly where our service comes to play. filerskeepers helps companies decide which retention period to choose per system or document category. We do this by providing our customers with insight into the legal maximum and minimum retention periods applicable in the countries relevant to them. This helps companies to justify why they are storing data (“for compliance with income tax rules”) and for how long (“for 10 years from the date following the end of the book year”).