Does your retention policy comply with the GDPR?

As we get closer to the inception date of the GDPR, it’s vital to check that your company’s internal processes concerning personal data are up to date and compliant with the upcoming law. This article is going to look at one of the policies every company must have: a retention policy.

Retention policies, in general, apply to all data held by an organisation. For the purposes of this article, we’ll stick to personal data, as that’s what the GDPR is concerned with.

What is a retention policy?

A retention policy is a written set of guidelines that a company follows when handling data — more specifically in relation to how long certain types of data should be stored.

These retention decisions usually come from a combination of internal reasons, but there also may be some legal requirements that are taken into consideration when the policy is drafted up.

We touched on data retention and retention policies in our article about the 6 principles of the GDPR. The fifth principle mentions how you should only store personal data for as long as you need it. 

Why is a retention policy important?

Storing data indefinitely is considered by many a bad idea. Not only is it likely for the data to become inaccurate after it’s been stored for a long period of time, but it poses a larger security risk for the individuals concerned in case of a hack or breach of your systems.

GDPR Top Tip

Your retention policy applies to data that you store offline as well. Physical copies (such as printed documents or spreadsheets) should also be destroyed when the data is no longer required!

horizontal rule 

A retention policy helps reduce the risk of losing sensitive personal information that could potentially cause harm to the people involved.

For example, you have a customer list that dates back 10 years. This list has sensitive information such as their home address, email and phone number. If this list is compromised, a number of these people could suffer from issues such as identity fraud, potentially costing them money or various other issues. You could try to inform all of these customers of the breach, but someone who hasn’t used your service in the last 9 may have a different email or phone number. This means that many of these customers may not know that their data has been compromised.

Now imagine that the same scenario happened, but you’ve anonymised all customer data for clients that haven’t used your service within the last year. The hacker gets the customer list, but only a subset of your customer base is at risk. You can quickly inform this smaller group of customers that there has been a breach and their data has been compromised, allowing them to take the necessary measures to prevent any further problems.

Are you aware that Mercurytide also offer GDPR compliance training for your employees? 


How do I create a retention policy?

Firstly, you’ll want to assess what data you currently store. Make a list of all the personal data types that you handle.

Personal data is defined as any piece of data that can be used to identify an individual.

You’ll also want to look at where you hold this data. Places such as servers, databases, emails, company computers and even backups need to be noted down.

After you’ve compiled your list of data types and storage locations, you will want to look at defining a storage period for each type of data. This will vary from business to business depending on your company’s needs. For example, you may need to store someone’s information for at least 2 years due to a warranty that you provide on a product you’ve sold them. After this 2-year period, this data is no longer necessary and it would be a reasonable time to delete it. Go through this process for all of the personal data that you store and note down the retention periods in your policy.

So now you know what data you store, where you store it and for how long it should be stored … what’s the next step?

Implementation of the policy.

It’s a tedious task to check each day for data that has passed its retention period, even more so if that data needs to be anonymised instead of just deleted. It would be beneficial, if budget allows, to add these retention rules to your systems and have the computer take care of the hard work for you. Then all you’d need to do is ensure that these processes are working correctly and the data is actually being deleted/anonymised.

The final step is to make this policy clear to the people that you collect personal data from. The GDPR recommends that you add this information into your privacy policy. It doesn’t have to display your whole internal retention policy, it may only be a summary, but the customer needs to be able to find and understand what is being done with their personal data.


Having a clear-cut retention policy that your company can easily follow will protect your business from legal challenges and provide your clients with piece of mind when they entrust you with their data.

PREVIOUS: GDPR and your marketing communications

NEXT: Legitimate Interests

If you have any questions about the points I've raised, or want a more in-depth chat about all things GDPR, please get in touch via the form below.

Enjoy what you're reading? Read one of our other articles on GDPR below.