GDPR: Data Retention

Blog, gdpr

The clock is ticking and we’re now under the one year mark until the new data protection act is enforced. The General Data Protection Regulation (GDPR) requires that personal data is only stored for as long as necessary.

The data retention criteria is defined in the regulation Rec.39; Art.5(1)(e), it states that:

Personal data must be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes in accordance with Art.89(1) and subject to the implementation of appropriate safeguards.”

What does this mean to you?

What does this mean? No longer are you as a data controller or data processor allowed or expected to keep information in your CRM’s, databases, mailing lists etc. for as long as possible.  Under GDPR you are only allowed to retain the personal data for as long as deemed necessary.

As an example, this means that, if you have a customer in your CRM system, that you have not had contact with for 24 months, and they have not bought anything from you within that time, then it is more than likely that they are not going to buy anything in the near future.

If you have had no contact with the customer in 2 years, then it could be deemed that it is not necessary to have their personal data within your system. But should you delete all their data? What happens if they come back within 3 years, you need a way to link back to their historical purchases. This is where pseudonymisation comes into play.


One way to ensure that you still contain the appropriate information, but adhere to the GDPR regulation for data retention, is by using pseudonymisation. Pseudonymisation ensures that you remove all the personal identifiers that could link it back to the customer, but still have the information there.  For instance, you could remove their name, address, contact information, email address etc. But still have the Customer ID on their account.  Then, when they contact you, you can identify them via this ID and update their account.

How this is tackled with vary from business to business, and businesses with older systems may need to look at renewing their systems, or brining in people to update their aging systems, if they can’t upgrade.

Who has your data?

Its rare that in business, you will have all of your personal data in one place, as we’re in an ever-connected world, businesses make sure of cloud based applications, CRMs, HR systems, payroll, suppliers are all online.  As part of your data retention criteria you will need to identity all the systems that stores your data and look at how you will detail with the data retention. This can be carried out by performing a data mapping exercise which will than likely open a can of worms, and may take longer than expected to map out. So start now if you haven’t already.

Once you’ve found out how many systems are storing your personal data you will then have to look at how you implement the retention policies.  Manually deleting or amending hundreds or thousands of records to make sure your systems are kept up to date can be a chore.  Having automation in place will be key.

How long do you retain the data?

Every business will be different and it will be down to the business to define an acceptable amount of time to store data. Ideally you need to look at how you process your information and define a timeframe.  For instance, say all client contacts that have finished, you’ll keep the data for the lifetime of the contract plus 2 years.

For customers who buy from you, you’ll keep their data for 18 months after the last purchase date (unless the subscription etc is longer than that).

It is important to look at the different services you offer and how these are all integrated, once documented, you can then map out how long to retain your data, and look at ways to make this painless as possible.

What about suppliers/third parties?

Your third party and suppliers should also be asked about how they store your customers data, do they do it securely? Do they have a retention policy for data? What are they doing to comply with GDPR?

If they can’t answer these questions it may be time to move onto another supplier.


I hope this helps answer a few questions about GDPR data retention, if you require any more information about this, feel free to get in touch with us at:

Previous Post
Top Tips for protecting your business against Ransomware
Next Post
Auditing and centralised logging

Related Posts

No results found.