Data Retention Policy
/ˈdeɪtə rɪˈtɛnʃən ˈpɒlɪsi/
A data retention policy is a documented set of rules defining how long personal and business data is kept, when it must be deleted, and who is responsible for managing it.
A data retention policy is a documented set of rules defining how long personal and business data is kept, when it must be deleted, and who is responsible for managing it.
A data retention policy is a formal document that sets out how long your organisation keeps different categories of data, when that data must be deleted or anonymised, and who within the business is responsible for managing the retention schedule. Under GDPR, organisations are prohibited from keeping personal data for longer than is necessary for the purpose for which it was collected. A data retention policy is the practical mechanism through which you demonstrate compliance with this storage limitation principle.
Without a retention policy, businesses accumulate data indefinitely, creating unnecessary risk. The more personal data you hold, the greater the potential impact of a data breach and the more difficult it becomes to respond to regulatory enquiries. A well-structured retention policy reduces your data footprint, simplifies your security posture, and demonstrates to the Data Protection Commission that you take data protection obligations seriously.
Beyond the GDPR dimension, retention policies serve legitimate business and legal purposes. Tax law requires financial records to be kept for specified periods. Employment law mandates retention of payroll and personnel records. Company law requires certain corporate documents to be preserved for the life of the company and beyond. Your retention policy must balance these legal minimum requirements with GDPR's obligation not to keep personal data longer than necessary, which can sometimes create a tension that needs careful legal consideration.
A comprehensive retention policy should categorise the types of data your business holds and assign a specific retention period and deletion method to each category. Common categories include customer data, employee records, financial records, marketing data, website analytics, and contractual documents. Each category carries different legal requirements and operational needs, so retention periods will vary significantly across the policy.
For each data category, the policy should specify the legal basis or business justification for the retention period, the trigger event that starts the clock (such as the end of a customer relationship or the termination of employment), and the deletion or anonymisation method to be applied when the period expires. The policy should also assign responsibility for reviewing and acting on retention schedules to a named role within the organisation.
Critically, the policy must be reviewed regularly to account for changes in the law, changes in how your business operates, and the introduction of new data categories. A retention policy drafted at the time of company formation may become outdated quickly as your business scales, takes on new customers, or enters new markets. Building a review cycle into the policy itself ensures it remains current and enforceable.
Irish and EU law impose minimum retention periods across a range of data categories. Revenue requires that accounting records and tax-related documents be kept for six years. Employment records, including payroll data and records of hours worked, must be retained for three years under the Organisation of Working Time Act, though many advisers recommend longer periods to cover potential employment disputes. Under the Companies Act, certain statutory books and records must be kept for the duration of the company's existence.
GDPR does not itself specify retention periods, but requires that you can justify how long you keep data by reference to the purpose for which it was collected. The principle of storage limitation means that once the purpose is fulfilled and no legal obligation requires continued retention, the data must be deleted. This creates a floor and a ceiling: legal obligations set the minimum, and the purpose of collection sets the maximum.
Your data retention policy directly affects how you respond to subject access requests. When an individual asks what personal data you hold about them, you must be able to provide an accurate and complete answer. If your retention schedules are unclear or inconsistently applied, you risk either disclosing data you should have deleted or failing to disclose data you are still holding, both of which can result in regulatory findings against you.
A well-maintained retention policy, supported by regular deletion runs, makes subject access requests far more manageable. When you know exactly what data you hold, where it is stored, and for how long, you can respond to requests accurately, within the statutory one-month deadline, and with confidence that your response is complete.
A retention policy is only as effective as the systems and processes that implement it. Identify where each category of data is stored, whether in your CRM, accounting software, HR platform, email system, or cloud storage, and configure those systems to flag or automatically delete data when the retention period expires. Automated deletion is preferable to manual processes, which are prone to inconsistency and often fall through the cracks as team members change.
Where automatic deletion is not possible, build a structured review process into your operations. Assign a named owner for each data category to carry out periodic reviews and maintain a log of deletions. This log serves as evidence of compliance if the data controller's practices are ever audited. Working with your data processors to ensure they apply equivalent retention standards to data they hold on your behalf is equally important, and should be addressed in your data processing agreements as part of your wider GDPR compliance framework and corporate compliance programme.
