GDPR – Data Retention and Privacy Policy

GDPR Data Retention rules state that personal data should never be retained longer than strictly necessary to accomplish the set business purpose. This is of course a good thing to ensure everyone’s privacy as data that is deleted can no longer be (mis)used, exposed, hacked etc.

So in your privacy policy you should specify a data retention period against each of the processing activities, taking into account the nature of the processing, its business purpose and your legal obligations including any legal action. Some examples:

  • Legislation in most EU member countries states that bookkeeping documents (e.g. invoices) should be kept for a period of 7 years. So the retention period here is 7 years or longer if any legal action is pending.
  • After interviewing job candidates one should remove the personal data of those applicants that are not being retained, unless you gather consent from the applicant to remain on file for a specific period in order to be considered for a future position.
  • When terminating a contract with an employee, the data should only be retained for as long as the local labour law prescribes and any potential legal action is pending.

You should make sure your firm has the right processes in place to ensure the personal data of its customers is removed or anonymised periodically. If your systems allow for automated removal of end-of-life data (e.g. log files that are automatically deleted after 6 weeks) be sure to leverage those capabilities. If no such automation is available to you, you should implement a manual process, taking into account the below:

  • Periodically assess which prospect or customer entities have been inactive for long enough that the data should be removed from your systems
  • If your system has no built-in delete function you should contact the software vendor. If no delete function is available to you, you should proceed to anonymise all personal data which forms part of those end-of-life entities e.g. people’s name, address, phone numbers, communications etc.

Also note that GDPR requires appropriate access control to be in place at all times. When a personal data file would no longer be relevant for the day-to-day e.g. an employee has left the company, the file should be archived and the access control should change so that less people have access as that is appropriate with its new relevance to the firm.

For more information on data security, check our our knowledge base on the topic.