Keeping personal data longer than you need it is one of the most common GDPR failures in Irish businesses. The storage limitation principle under Article 5(1)(e) requires that personal data is kept only for as long as necessary for the purpose it was collected. There is no single GDPR retention period that applies to all data, instead, you must define and justify retention periods for each category of data you hold.
The DPC has made retention a consistent focus area in audits and investigations. In our experience, retaining data beyond its useful life increases exposure to data breaches and subject access requests . The more data you hold, the greater your liability if something goes wrong. This guide explains how to build a data retention policy that satisfies GDPR and Irish statutory requirements.
Why does data retention matter under GDPR?
The storage limitation principle is one of the seven core principles of GDPR. Article 5(1)(e) states that personal data must be "kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."
This means you cannot keep data indefinitely "just in case." Every category of personal data you hold must have a defined retention period, and when that period expires, the data must be securely deleted or anonymised.
The risks of over-retention are practical, not just theoretical:
Larger breach exposure: The more personal data you hold, the more data is exposed in a breach. This increases the severity of any DPC notification and the potential for enforcement action.Heavier SAR burden: When someone makes a subject access request , you must search all data you hold about them. Unnecessary data means unnecessary search effort and higher compliance costs.Audit vulnerability: The DPC expects organisations to demonstrate active data minimisation. If an audit reveals data held without justification, that is a compliance failure regardless of whether a breach has occurred.Erasure complications: When someone exercises their right to erasure, you must know exactly what data you hold and where. Uncontrolled data accumulation makes this significantly harder.
Retention is also linked directly to your records of processing activities. Your ROPA should document retention periods for each processing activity, and the DPC guidance indicates that these periods should be granular. It is important to be aware that different data categories will have different retention needs.
How long can you keep personal data?
The GDPR does not prescribe specific retention periods. The DPC's guidance emphasises that organisations must consider statutory obligations when defining retention periods. This means your retention periods are driven by three factors: the purpose of processing, statutory requirements, and legitimate business need.
Statutory retention periods in Ireland
Several Irish statutes require you to retain specific records for minimum periods:
Financial and accounting records: Section 285 of the Companies Act 2014 requires companies to preserve accounting records for at least 6 years after the end of the financial year to which they relate.Tax records: The Taxes Consolidation Act 1997 (via Section 91 of the Finance Act 2014) requires retention of tax-related records for 6 years. Revenue's Income Tax (Employments) Regulations 2018 require employers to retain payroll information for 6 years after the end of the relevant year.Employment records: The Organisation of Working Time Act 1997 requires records of hours worked, rest periods, and leave for 3 years. The Terms of Employment (Information) Act 1994 effectively requires retention of employment contracts for the duration of employment plus 6 years (the limitation period for breach of contract claims).Parental leave records: The Parental Leave Acts 1998–2006 require retention for 8 years.Health and safety records: Personal injury claims in Ireland have a general limitation period of 2 years from the date of injury, but records supporting workplace safety compliance status should be retained for longer given the potential for late discovery of injuries.
In our experience, a minimum of 6/7 years for most business records is recommended.
When the original purpose expires
For data that is not subject to statutory retention requirements, your retention period should be tied to the purpose for which the data was collected. When that purpose ends, the data should be deleted:
Job applicants: Once the recruitment process concludes and no offer is made, there is no ongoing purpose. A retention period of 12 months is common practice to cover any potential discrimination claims.Customer enquiries: If someone contacts you through your website but does not become a customer, retaining their contact details indefinitely is not justified.Event attendees: Personal data collected for a specific event should be deleted after the event unless the individual has consented to further communication.
Author's tip: When in doubt, ask: "If someone asked me why I still have this data, could I give a specific answer?" If the answer is "we might need it someday," that is not a valid retention justification.
How do you build a data retention schedule?
A data retention schedule is a document that maps each category of personal data to a defined retention period, a legal basis for retention, and a trigger event that starts the clock.
Step 1: Map data categories to purposes
Start with your records of processing activities. For each processing activity, identify:
What categories of personal data are involved
Why you are processing this data (the purpose)
What legal basis you rely on
Step 2: Set retention periods
For each data category, determine the appropriate retention period:
Statutory requirement: If legislation mandates a minimum period, that is your baseline. You should not keep data longer than the statutory period unless you have a separate justification.Contractual necessity: Data needed to perform a consultancy agreement or other contract should be retained for the duration of the contract plus the relevant limitation period.Legitimate interest: Data retained on the basis of legitimate interest should have a defined review date.Consent: Data processed on the basis of consent should be retained only while consent is active and the purpose remains valid.
Step 3: Identify the trigger event
The retention period starts from a specific event, not from a fixed date:
Date of collection: For one-off data collection (e.g., event registration)End of contract: For customer or supplier dataEnd of employment: For employee recordsLast interaction: For marketing contactsClosure of the matter: For legal case files
Step 4: Document justifications
For each retention period, record why that period was chosen. Reference the specific statute, business need, or risk assessment that supports it. This documentation is your evidence if the DPC asks why you are keeping data.
A practical retention schedule might look like this:
Employee payroll records: 6 years after end of employment (Revenue regulations)Customer purchase records: 6 years after last transaction (Companies Act 2014 , tax obligations)Job applicant CVs (unsuccessful): 12 months after recruitment decisionWebsite contact form enquiries: 6 months after last responseNewsletter subscriber data: Until consent is withdrawn or 24 months of inactivity
For a detailed guide on statutory document retention requirements, see our document retention guide for Irish companies .
How do you securely delete data when retention periods expire?
When a accounting period or retention period expires, you have two GDPR-compliant options: secure deletion or anonymisation.
Secure deletion
For digital data, secure deletion means permanently removing the data so it cannot be recovered. Simply moving files to a recycle bin is not sufficient. Methods include:
Overwriting: Using software to overwrite data with random charactersDegaussing: For magnetic storage media, using a magnetic field to erase dataPhysical destruction: Shredding hard drives, USB devices, or optical mediaCertified deletion tools: Software that provides a certificate of deletion for audit purposes
For paper records, use cross-cut shredding or a certified document destruction service. Retain certificates of destruction as evidence.
Anonymisation
Anonymisation permanently removes all identifiers so the data can no longer be linked to any individual. Truly anonymised data falls outside the scope of GDPR and can be retained indefinitely for analytics, research, or business intelligence.
However, anonymisation must be irreversible. Pseudonymised data, where identifiers are replaced but re-identification is possible with additional information, is still personal data and still subject to GDPR, including retention limits.
Dealing with backups
We tend to see that backups present a practical challenge. Deleting individual records from backup systems is often technically difficult or impossible without restoring the entire backup. The pragmatic approach is to delete data from all live systems when the retention period expires and allow backup data to expire according to your backup rotation schedule. Ensure that data restored from backups is checked against your retention schedule before being returned to live systems.
What does data retention look like in common business scenarios?
Here is how retention applies to the most common data categories Irish businesses hold:
Customer data after a contract ends
Retain purchase records and invoices for 6 years (Companies Act and tax obligations). Delete personal details that are not needed for financial records, marketing preferences, browsing history, support ticket details, unless you have a separate legal basis to keep them.
CVs and recruitment data
The DPC's employment guidance suggests that 12 months is a reasonable retention period for unsuccessful applicants' data. If the applicant has consented to being considered for future roles, you may retain their data for longer, but set a defined review period (e.g., 24 months) and inform them.
Marketing lists and newsletter subscribers
If you rely on consent for marketing, you must delete the data when consent is withdrawn. Even if consent is still active, consider setting a maximum retention period. If a subscriber has not engaged with your emails in 24 months, re-confirm consent or remove them.
Website analytics and cookies
Analytics data should be anonymised or aggregated wherever possible. Where personal data is collected through cookies (e.g., IP addresses, device identifiers), your retention should align with your cookie policy. Most analytics tools allow you to set automatic data retention periods.
For guidance on your right to erasure obligations when individuals request deletion, see our right to erasure guide .
How do you enforce your retention policy internally?
Assign ownership
Every data category in your retention schedule should have a designated owner, a person or team responsible for ensuring data is deleted on time. Without ownership, compliance calendar or retention periods are aspirational rather than operational.
Automate where possible
Many systems support automatic deletion rules:
Email: Auto-archive or delete emails older than a defined periodCRM: Set automatic record deletion or archival based on last interaction dateCloud storage: Use lifecycle policies to move or delete aged dataHR systems: Configure automatic purge of terminated employee records after the retention period
In our experience, automation reduces the risk of human error and ensures consistent application of your policy.
Train staff
Every employee who handles personal data should understand the retention policy and know their responsibilities. Training should cover what data to keep, where to store it, when to delete it, and how to respond if they are unsure.
Conduct regular audits
Review your retention schedule at least annually. Check whether:
Data is being deleted on schedule
New processing activities have been added to the schedule
Statutory requirements have changed
Systems are configured correctly for automated deletion
It is necessary to document each audit and any corrective actions taken. This demonstrates accountability under Article 5(2) of the GDPR.
For a broader overview of your data protection obligations, see our GDPR compliance guide for startups .
Your next step
If you do not have a data retention schedule, build one now. We recommend that you start with your records of processing activities , however, if you do not have those either, that is your first step. Next, you should map every category of personal data, identify the statutory and business retention requirements, set a retention period and trigger event, and assign an owner.
Finally, audit what you currently hold. We tend to see that most Irish businesses are retaining data far longer than necessary. Deleting what you no longer need reduces your breach exposure, simplifies subject access requests , and demonstrates to the DPC that you take data minimisation seriously.
Need help building your data protection framework? Get started with Open Forest
