All-in-one Risk Management Platform

How Long Should You Retain Personal Data?

Under the GDPR, the retainment of personal data is a bit complicated. Here’s how to know when to start the deletion process.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Join thousands of companies who build trust with Accountable.

How Long Should You Retain Personal Data?

Under the GDPR, all sensitive data that could be used to identify an individual is defined as “Personal Data.” A question frequently asked by those who are compliant with the GDPR is how long a business is required to retain personal data, or at what point they can delete that data?

In this quick guide, we’ll take a look at what personal data means, how it is defined under the GDPR, and what the GDPR says about retaining and storing personal data.

How Does the GDPR Define Personal Data?

In May of 2018, the General Data Protection Regulation (GDPR) was implemented. It necessitates that businesses take efforts to safeguard the personal information they acquire. It also outlines the steps that must be taken to avoid data breaches, as well as a list of eight "data subject rights." With respect to automated decision-making and profiling, they are the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, and the right to object rights. These rights apply to all parties involved, including partners, clients, and staff. Failure to follow them may result in legal action.

Personal data is defined as any information that refers to a live individual who is identified or identifiable. Personal data is made up of several bits of information that, when put together, may be used to identify a specific individual.

The GDPR applies to any personal data that has been removed from identification, especially encrypted, or falsified information, but can still be used to potentially identify a person. Personal data that has been anonymized to the extent of being unable to identify an individual is no longer considered personal data. For data to be actually anonymous, the anonymization of that data must be permanent.

The GDPR ensures that personal data is protected regardless of the tools used to process that data. It is technology neutral, encompassing automated and human processing as long as the data is structured according to pre-defined criteria. It also doesn't matter how the information is stored. In all cases, personal data is subject to the GDPR's data protection requirements.

Personal data can include names, addresses, email addresses, ID card numbers, location information, IP addresses, cookie IDs, pixels or other ad identifiers, and any medical or hospital data.

“Saved our business.”
"Easy to use!"
"Accountable is a no brainer."

Get started with Accountable today.

The modern platform to manage risk and build trust across privacy, security, and compliance.
Get Started Today
Join over 17,000 companies who trust Accountable.

How Long Can an Organization Keep Personal Data As Regulated by the GDPR?

Data must be kept for the shortest period of time as is feasible. That timeframe should consider the reasons why your firm or organization has to handle the data, as well as any legal duties to store the data for a specific amount of time. National labor, tax, or anti-fraud legislation, for example, that require you to preserve personal data about your employees for a set amount of time, product warranty term, and so on, would be a higher priority.

Your business or organization should set time restrictions for erasing or reviewing data. Personal data may be stored for a longer period for archiving purposes in the public interest or for scientific or historical research purposes, provided that adequate technological and organizational measures such as anonymization, encryption, and other safeguards are in place. Your business or organization must also guarantee that the information it has is accurate and current.

What Happens if Data Is No Longer Needed?

To put it simply: Any organizations in the EU that acquire, use, or keep the personal data of EU citizens must adhere to the GDPR's data retention obligations. As a result, they must destroy or anonymize data as soon as it is no longer needed for processing. As a result, if you only require a staff member's personal information during their employment, you must destroy it when they leave the organization.

The longer data is stored, the more likely it is to become out of date, and the more difficult it is to assure data accuracy. The more data about individuals that is saved, the higher the risk of harm in the case of a data breach. You may not face punishment under the GDPR, but you risk causing harm to your company. And if a data breach occurs, your company might face serious consequences from both your clients and the GDPR enforcers.

Note: Also keep in mind that you should never save data simply in case it becomes helpful later. You must be aware of all applicable national and EU legislation and keep personal data in accordance with them. It's also worth noting that the GDPR requires you to delete personal data once it's no longer needed for processing.

How To Create a Data Retention Policy on Data Deletion

A data retention policy is a collection of recommendations that spells out how long businesses should store certain types of personal information. Every data retention policy should specify the categories of personal data collected by the organization, the processing reasons for each category of data, the various retention periods, and how to dispose of the data once it is no longer needed.

Keep the following steps in mind while creating a successful data retention policy:

  1. Determine the different sorts of data that your firm has. Begin by making a list of all the different sorts of data your organization handles, such as names, home addresses, phone numbers, IP addresses, emails, and credit card information.
  2. For each category of data, determine the appropriate retention period. While the GDPR does not specify particular retention periods for personal data, it does declare unequivocally that companies should not store data for longer than necessary.
  3. For each category of data, specify how it should be disposed of. When data becomes obsolete, you must dispose of it either by deleting it or anonymizing it so that it cannot be recovered later.

Like what you see?  Learn more below

Under the GDPR, the retainment of personal data is a bit complicated. Here’s how to know when to start the deletion process.
How to Respond to a Breach or Cyberattack
CMIA (California Confidentiality of Medical Information Act)
What is a HIPAA Compliance Checklist?
Ten Common HIPAA Compliance Mistakes and Effective Strategies for Mitigation
Safeguarding Your Business: Preventing a Data Incident
What is Personal Data under the GDPR?
Streamlining the Employee Off-boarding Process
Traits and Responsibilities of a GDPR Data Controller
ISO 27001 vs HIPAA
Complying with Texas HB300
Contractors Under CCPA/CPRA
Why was the CCPA Introduced?
HIPAA IT Compliance Checklist
How to Secure Your Company's Email Communication: Best Practices and Strategies
Complying with ISO 27001: Strategies and Best Practices
GDPR Compliance for Startups
What is Personal Information Under the CPRA?
Steps to Ensure Operational Resilience
The CCPA Do Not Sell Requirement
Am I a Data Controller or Data Processor?
Service Providers Under CCPA/CPRA
Why Security Does Not Equal Data Privacy
What Does PHI Stand For?
Common GDPR Compliance Mistakes & Pain Points
"Likely to Result in Risk" Under GDPR
Key Elements of a Data Processing Agreement
What Is a Data Processor?
What is a Business Associate Subcontractor?
What You Need To Know About Browser Cookies
How Long Should You Retain Personal Data?
Operational Risk Management
ADPPA Preview
What is a Data Controller?
Data Protection Impact Assessments (DPIAs)
The Importance of Monitoring External Data Breaches
Fraud Risk Factors
Security Awareness Training
5 Steps to Creating a Vendor Management Process
The 18 PHI Identifiers
Notice of Privacy Practices under HIPAA
Data Subject Access Requests
What is a HIPAA Lawyer?
What You Need to Know About Data Encryption
ISO 27001
Types of Financial Risk
SOC 2 Compliance Mistakes
Data Disaster Recovery Plan
The Truth about Data Security
Business Continuity Plans
Security Risk Assessment Overview
How To Comply With the HIPAA Security Rule
How To Ensure GDPR Compliance
The Complete Guide to PCI Compliance
Data Governance in Healthcare
Why is Personal Data Valuable?
8 Steps To Establish a Risk Management Framework
How To Prevent a Former Employee From Becoming a Security Risk
Vendor Risk Management
4 PCI DSS Compliance Levels
The Difference Between DoS and DDoS Attacks
Internet of Things (IoT) Security
Compliance as a Competitive Advantage
SOC 2 Compliance
Opt-In vs. Opt-Out Data Rights
Five Principles of Risk Management
5 Habits of an Effective Privacy Officer
Principles of Data Governance
Data Protection Officer vs. HIPAA Privacy Officer
Personally Identifiable Information (PII)