News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | How to draft a GDPR-compliant retention policy Related reading: Territorial scope of the GDPR from a US perspective

rss_feed

Data minimization, storage limitation, records of processing activities and requirements for providing information and access to personal data under the EU General Data Protection Regulation all have one thing in common: You need to be able to clearly define the period for which personal data will be stored or, if not possible, criteria to determine that period.

Most organizations implementing the GDPR consider retention policies or retention rules necessary to achieve this. At first it seems a daunting task, but by considering the goals and GDPR requirements you can reach some reasonable level of granularity that is still operational and possible to implement.

Records of processing activities

It's very important to find a right balance between being very general and vague (like saying we will keep the data for as long as needed), and having a very detailed system by system and set by set description. The latter might still be useful as a product of your policy or a report available at specific point of time but not as a retention policy.

In order to find out how much detail is enough you should consider the requirements for the records of processing activities.

As specified in Article 30 of the GDPR, such records need to include purposes of the processing; descriptions of data subjects and categories of personal data; as well as recipients and, where possible, the envisaged time limits for erasure of the different categories of data.

Considering that the information to be provided to the data subjects includes the period for which the personal data will be stored — or, if that is not possible, the criteria used to determine that period— it makes sense to provide such information as part of the envisaged time limits for erasure. This way you will stay consistent and avoid confusion resulting from different descriptions of your retention/erasure practices.

As it seems then, records of processing activities encourage you to group data by type of individuals, data categories and relevant purposes, and it is prudent to relate retention times to such processing activities.

What processing activities are is not defined by the GDPR, only processing as such is broadly described in Article 4, so using the most clear and relevant name or description would be a reasonable way to go. Using such names will definitely make your life easier.    

Legal basis

Defining legal basis for different processing activities is not, strictly speaking, required for the records of processing activities, but it is obvious that organizations need to be aware of the relevant legal basis for such activities and document it in accordance with the principle of accountability. In addition to that, legal basis needs to be communicated to the data subjects as part of the information obligations (Articles 13 and 14 of the GDPR).

In practice, legal basis is so tightly linked with the purposes of processing that in many privacy notices the purpose and legal basis become one, e.g. by explaining that the data will be processed for the performance of a contract or for compliance with specific legal obligations.

Legal basis is also crucial for specifying retention times, and in some cases such retention times would be readily available (like in case of processing the data for compliance with tax regulations or the like).

This means that grouping data into types used for the same purposes should be done as per relevant legal basis. Even though it will not result in many instances in having just one specific retention time (as it will vary by jurisdictions and even for different types of situations), such retention times will be possible to be efficiently establish — or at least by reference to the specific legal basis — criteria for how long data will be stored can be provided.

It is important to remember that the data processed based on consent should in general not be kept when the consent is withdrawn (unless another valid legal basis has been established and communicated to the data subjects), and the data necessary for the performance of a contract may not be retained indefinitely by saying that there might occur some legal claims if such claims aren't clearly defined and don't yet exist but are purely hypothetical.

As explained in the Article 29 Working Party Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC, performance of contract does not apply to actions triggered by non-compliance or to all other incidents in the execution of a contract, but only covers the normal execution of a contract.

Standard periods for ancillary data sets

Obviously the data used in a business environment are not simply grouped into separate, static data sets, but take many forms and shapes. Linking all possible data to an individual data subjects' profiles would in fact go somewhat against the very principles of the GDPR as it would result in creating very detailed and oftentimes completely unnecessary information about data subjects. There are also some technical and organizational constraints that will make it hard to achieve, and many systems may not be linked together or should not be linked for security reasons.  

Establishing retention times for such types of data is not only a must-have in terms of risk and data minimization but will also greatly facilitate your life in case of subject-access requests.

By implementing reasonably short retention periods, you will have a unique chance to streamline your processing activities so that in a relatively expeditious manner it will be clear what data must be archived or added to individual’s profile and how such data is relevant to your business. This is also a chance to automate deletion process which will greatly reduce costs and work factor.

Specific examples of retention times for processing activities 

Even though establishing and implementing retention rules will never be easy, and the bigger and more complex the organisation is, the more difficult it gets, there are ways to simplify this task, at least to the point of meeting the basic GDPR requirements.

As with all other GDPR compliance obligations, it makes sense to treat all documents, such as policies, notices, records of processing activities, assessments, etc. as closely related with each other and fuel them with consistent rules and information, rather than using completely different descriptions e.g. when it comes to retention.  

Specific examples of retention times for different processing activities based on the above, could include storing:

  • Customer financial and tax data for the purpose of compliance with tax regulations for the period specified by tax laws (the list of such laws and relevant provisions should be available).
  • Newsletter subscribers' information, only until consent is withdrawn by using an "unsubscribe" functionality.
  • Employee files and records for as long as required by relevant employment and social security and social protection laws (the list of such laws and relevant provisions should be available).
  • Direct-marketing customer data for a specifically defined period, e.g. 2 years, unless the customer objects/opts-out sooner or actively opts-in for the data to be used for a longer, defined period.
  • Consumers' contract, service, or delivery data for as long as the contract is in force or services or products are provided, and for a specifically defined additional period if the consumer registers for product support or such data are kept by the consumer in his or her user profile (even then it is recommended to establish some predefined retention period upon which the data will be automatically deleted).
  • Processing data necessary for the establishment, exercise or defense of legal claims, only if such claims can be clearly articulated and defined and until such claims are finally resolved or expire under relevant laws (the general periods under relevant laws, e.g. 10 years, for raising possible claims are by no means sufficient ground to keep all data for such period if there are no specific grounds to identify existing claims. In such cases organizations should conduct legal analysis, considering that some of the information may be retained anyway e.g. for compliance with tax regulations).
  • Health records of hospital patients for the period defined by national laws (the list of such laws and relevant provisions should be available). 

photo credit: pennstatenews via photopin

Author
Headshot Piotr Foitzik, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP IAPP Member Contributor
Tags
Europe
Privacy Operations Management
1 Comment

If you want to comment on this post, you need to login.

  • comment Maryanne Siek • Sep 14, 2018 
    Most companies of significant size and global reach have a records retention schedule already in place. Your first stop should always be your Legal Department to find out if such a schedule exists. If so, assuming it's accurate and up to date, you're halfway there. The schedule will almost certainly require some tweaking to address GDPR, but it will tell you all the kinds of records your organization creates and manages, along with the legal requirements for retaining them. It may also document operational requirements and assign departmental ownership for each record type.
Related Stories
Territorial scope of the GDPR from a US perspective
1
On May 25, the most important EU data protection law reform to date entered into force. The General Data Protection Regulation promises the biggest shape up to European privacy laws for 20 years, particularly with a view to the extremely high fines. The GDPR applies to businesses established in the ...
Read More queue Save This
DPO Confessional: The prep for GDPR Day
‘Twas the night before GDPR…. May 25 feels like a holiday of sorts. Not because there’s anything to celebrate or honor, necessarily, but because preparing for it was much like getting ready to have guests visit the house. Guests one really wants to or needs to impress, moreover, like the in-laws or...
Read More queue Save This
Data-processing agreements from 30,000 feet
“Processing by a processor shall be governed by a contract or other legal act…” (Article 28, GDPR) Commonly referred to as a “data processing agreement” this type of contract governs the relationship between a controller, a processor, and the data being processed. These contracts can come in m...
Read More queue Save This
Implementing appropriate security under the GDPR
The EU General Data Protection is finally here, and things like data mapping, data protection impact assessment, consent management, and data subject rights have been on everyone’s minds leading up to its arrival. While these operational requirements are obvious for many companies, some others have ...
Read More queue Save This
Related Stories
Tags
Europe
Privacy Operations Management
Recent Comments