Data retention

Data retention is the practice of storing data for a limited amount of time. It involves determining how long different types of data should be kept and when they should be securely deleted or archived.

In the context of data protection, data retention is, along with data minimization, one of the ways to mitigate risks associated with storing excessive personal data. In the event of a data breach, minimization and retention help limit the amount of personal data exposed, while encryption and tokenization ensure that any leaked data is effectively unusable to attackers.

Among other purposes, such as reducing storage costs, data retention ensures compliance with data protection laws like GDPR, HIPAA, or CCPA. For example, GDPR requires companies to comply with the principle of storage limitation: personal data that identifies individuals must not be stored longer than necessary for the purposes for which it was collected.

However, a company may need to maintain historical data, possibly in a deidentified form, to support audits or research. A data retention policy should strike a balance between regulatory requirements and business needs.

The purpose of a data retention policy is to:

• Define the duration for which data is stored, which may vary depending on the data type; for instance, financial records may be stored longer than identifiable personal data.
• Establish backup procedures and guidelines for periodic review.
• Describe what happens to data after its retention period ends. You may want to go with secure destruction to prevent unauthorized access or recovery, or opt for anonymization to deidentify the data but keep it available for your data analysts to work on.