User data has longtime been a valuable asset for businesses, with data protection laws being introduced to regulate the way it can be responsibly handled. Needless to say, that when it comes to collecting data, businesses need to be aware of the legal requirements and best practices that come with it! One of these practices is having a data retention policy.
👀 Let’s dive in.
First and foremost, what is data retention? It refers to data being stored and used for a set period of time, called the data retention period. In short, this period defines how long the data (i.e. an email address, medical file, payroll) will be kept for, before having to be deleted.
The data retention policy is not a standalone “policy” document like the privacy policy in the GDPR understanding. It is more of an internal assessment to define all the following information, for each processing activity:
It is an important part of your business’ internal privacy management, along with keeping track and being able to describe security measures, legal basis for processing, data transfer outside the EU and the parties that you share the data with.
Your data controller needs to carry out an assessment based on a number of criteria to define retention periods for the categories of personal data that is processed, and then disclose this information to users.
In general, data retention periods can be:
💡 Apart from carrying out an internal assessment of your data retention policy, please also note that under GDPR Article 13 you are legally required to disclose retention periods for each of your processing activities!
👋 Sounds complicated? It doesn’t have to be! See how to do it in this section
🇺🇸 California’s CPRA (CCPA amended) that came into force in January 2023, is another strong example. It now requires mentioning the retention period for each category of personal information, including sensitive personal information, in a notice at collection. Businesses are therefore advised to limit personal information’s retention to the shortest amount of time necessary and to the purpose for which it was collected.
You might find useful considering the following questions:
📌 Until when do I really need the data for the business to achieve the initial objective?
📌 Am I legally obliged to keep the data for a certain period of time?
📌 Should I keep certain data to protect myself from a potential issue?
📌 Which data needs to be stored? For how long?
📌 What are the rules for storing or deleting data?
Here are some key principles to follow as you build your data retention policy:
✅ Have a precise, legal and legitimate purpose;
✅ Set a precise, time-limited retention period;
✅ Data must be relevant and necessary;
✅ Data must be stored for the shortest time possible;
✅ Data is safe and protected.
Here’s how you can disclose data retention to your users.
Best practice is to include accurate data retention information via your privacy documents, such as your privacy policy.
Here’s how to do this with iubenda:
🚀 Use our Privacy and Cookie Policy Generator to add the technologies you use on your website (i.e. Facebook access);
🚀 Use our Internal Privacy Management tool for defining storage duration for each processing activity;
🚀 Generate your privacy policy with all necessary default disclosures! (See example below)
