What are the basic elements of a GDPR-compliant data retention policy?
Updated: Sep 9, 2021
Under Article 5 of the GDPR, personal data may not be kept in a form which permits identification of data subjects for longer than required for the purposes for which they are processed. There are a number of exceptions to this general rule.
One of these exceptions is when you are obligated to keep records for a certain period of time as required by either a European Member State or EU law. For example, if you are subject to a French law that requires you to keep an employment record for 3 years after the date of termination, you may keep this record for the permitted retention period -- even if there is no practical need to keep the record.
Against this backdrop, it has become increasingly important for companies to understand their records retention requirements and to translate this understanding into the creation of a GDPR-compliant records retention policy which is integrated into their overall data security documentation processes.
This blog post describes some of core elements of a GDPR-compliant data retention policy and how we can help you achieve your regulatory compliance goals in this respect.
Step 1 – Analyze what data you are processing. For example, do you process worker occupational safety and health records, anti-money laundering documentation, employee records or other personal data that are subject to a records retention obligation?
Step 2 – Work with a knowledgeable service provider such as Knowledge Preservation to help you categorize the data that you hold into an easily usable and understandable series of record classes.
Step 3 – Understand which laws and standards govern your business. These can include country-specific legislation, regulatory guidance, industry standards and other similar requirements.
Step 4 – Research or use a third party like Knowledge Preservation to help you research the specific laws that apply to you. For example, are you subject to manufacturing-industry requirements or financial regulations?
Step 5 – Compile a retention schedule that clearly and concisely informs your stakeholders what types of information are covered (i.e. what do you do?), how long you are permitted to keep that information and what you should do when you no longer need to maintain the data described in your schedule. This is particularly important as GDPR does not set out specific time limits for data to be held, and instead, defers to Member State or European Union law, essentially creating a massive homework assignment!
Step 6 – Refresh and renew (at least annually).
Knowledge Preservation’s information governance professionals stand ready to help you create the records retention policies and practices required to enable your compliance not only with the GDPR but with other regulations applicable to your business. We invite you to contact firstname.lastname@example.org for additional information.