GDPR Data Retention Policy
Under the GDPR, data controllers (i.e. businesses using personal data, in
this case) should not retain personal data for any longer than necessary.
Furthermore, the GDPR gives data subjects rights to require the erasure of
their personal data (also known as “the right to be forgotten”).
Minimising data retention and having clear procedures in place to determine
how and when to dispose of personal data is therefore key to complying with
the GDPR. Not only that, but a well-managed data retention plan can help
businesses to avoid the information overload and high storage costs
resulting from the retention of unnecessary (and often redundant) data.
This Data Retention Policy is designed primarily to set out the limits that
apply to the various types of personal data held by a business, to
establish the criteria by which those limits are set, and to set out how
personal data should be deleted or disposed of.
In addition, this policy template sets out where and how personal data is
held, it provides a brief overview of data subjects’ key rights under the
GDPR, and a summarised overview of the various technical and organisational
data protection measures that the business has in place (duplicated for the
most part from our GDPR Data Protection Policy – designed to be used in
conjunction with this document).
The policy can be applied company-wide, or multiple policies can be used
for separate departments. Depending upon the amount of personal data used,
it may be preferable (and more manageable) to work on a per-department
Optional phrases / clauses are enclosed in square brackets. These should be
read carefully and selected so as to be compatible with one another. Unused
options should be removed from the document.
References to the various “Parts” of the Company’s Data Protection Policy
refer to the corresponding sections of our GDPR Data Protection Policy
template (and should therefore be amended if optional provisions are
removed from that document).
This Data Retention Policy contains the following clauses:
2. Aims and Objectives
4. Data Subject Rights and Data Integrity
5. Technical and Organisational Data Security Measures
6. Data Disposal
7. Data Retention
8. Roles and Responsibilities
9. Implementation of Policy
This Data Retention Policy is in open format. Either enter the requisite
details in the highlighted fields or adjust the wording to suit your
Once you have purchased access to the appropriate document folder click on
the “Download Document” link below. You will be asked what you want to do
with the file. It is recommended that you save the document to a location
of your choice prior to viewing.