What is a retention period regarding personal data ?
Article 5.1.e) of the GDPR provides that “personal data shall be [..] kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed […]”.
In practice, this means that personal data has a limited lifespan. As soon as the purpose fulfilled by its use or storage disappears, so must the personal data. Therefore, it is now illegal to store personal data “just in case”, without a defined – and legitimate – goal in mind.
For example, keeping client accounts of customers which have not bought from your company for 4 years might subject you to sanctions. Meanwhile, keeping an invoice sent to the same customer is perfectly acceptable, even mandatory (Article L123-22 of the french Commercial code).
How does one determine the proper retention period for personal data ?
The method to identify the maximum retention period for personal data is actually fairly simple.
Firrst, one must identify the legal requirements that may force you to keep personal data for a minimal period of time. To continue with our previous example, businesses must keep their invoices and purchase orders for 10 years after the end of the accounting year in which they were issued (Article L123-22 of the french Commercial Code). If such a retention obligation exists, it will be the bare minimum.
Second, one must look through the Guidelines or recommendations from Supervisory Authorities. For example, while no legal obligation exists on the matter, the french Supervisory Authority (CNIL) recommends that the data of a prospect not responding to any solicitation can be kept for 3 years (https://www.cnil.fr/en/sheet-ndeg14-define-data-retention-period)
Third, one can craft his/her own retention period, under two conditions. On the one hand, this period must be fully justified by the fulfillment of a legitimate purpose. On the other hand, the period cannot contradict either a legal obligation or a Supervisory Authority recommendation.
How best to get rid of personal data after their retention period expires ?
Personal data can be disposed of in two ways: anonymization and deletion.
Anonymisation is undoubtedly the best method to handle the retention problem. If the data can be rendered anonymous, in such a manner that the data subject is not or no longer identifiable, it then falls out of the GDPR’s scope.
Deletion, for its part, can appear to be the most simple. No need to sort out the identifying elements from a large database, all of it can just be destroyed. However, special attention must be given to the deletion on all supports and devices. Indeed, deleting a file from the cloud is of little use if it has been duplicated by an email and on your local computer. To ensure a proper deletion of personal data, it is therefore necessary to take care of each copy, on each medium.
Truthfully, the management of personal data retention can be a real headache under the GDPR. But with good practices, and efficient automated processes, it can become no more than a painless habit.