November 5, 2024
Practical guidance
How Long Can Businesses Keep Personal Data?
Some privacy laws require businesses to create data retention policies, but figuring out the maximum amount of time you can hold on to data can be complicated.

Creating a data retention policy is a “stealth” requirement under several privacy laws, and it’s one that businesses often struggle with. For many, the idea of not keeping data forever is counterintuitive, if not outright foolish. Data is a resource, so it should be used and not thrown away, right?

Putting aside the other very good reasons for implementing a data retention policy—such as improving information security and reducing legal liabilities—when it comes to privacy compliance, a lot of people just want to know the maximum amount of time they can keep personal data and remain compliant.

As Long as Necessary, But No Longer

While it varies from law to law, the general rule is that businesses may retain personal data for as long as is necessary to fulfill the purposes for which it was collected. Note that the standard is not that data may be kept as long as it is still potentially useful; it can only be kept as long as it’s necessary

The European Commission put it even more bluntly: “Data must be stored for the shortest time possible.”

Practical Guidance

Businesses may be frustrated by the lack of specific data retention periods for them to follow, but it would be difficult (if not impossible) to come up with a single rule that applies across all situations. Contextual information such as the nature of the personal data, the nature of the organization, and the processing purposes must all be taken into account. For example, data collected in order to service a lifetime product guarantee will probably remain necessary for longer than data collected to send promotional emails. 

However, this lack of specificity should not be interpreted as a lack of enforceability. Especially under the GPDR, organizations are regularly fined for violations of data minimization rules. 

When defining your business’s data retention periods, bear in mind that it is you, the regulated business, who will bear the burden of demonstrating you only keep personal data as long as is necessary. As the retention period gets longer, it will be an increasingly uphill battle to demonstrate that necessity. For example, if you’ve decided to keep marketing information for 20 years from the last contact with a consumer, it will be tough for most organizations to argue that that data remains necessary for so long.

Businesses that are subject to the GDPR should also look into local rules that may provide more guidance. French data protection authorities, for example, have published guidelines recommending that marketing contact information only be retained for up to three years from the last contact with an individual. Anything longer than that, and the business must explain why it is necessary. (See this rule in action)

Stuck on Privacy Compliance?

TrueVault helps businesses of all sizes comply with global privacy laws, from processing opt-out requests to creating a data retention policy. You don’t need an in-house privacy expert to get compliant within a matter of hours. 

Contact our team to see how it works.

Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.

Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.