Iubenda logo
Start generating


Table of Contents

Data Retention Policy: Best Practices And Why You Need One

User data has longtime been a valuable asset for businesses, with data protection laws being introduced to regulate the way it can be responsibly handled. Needless to say, that when it comes to collecting data, businesses need to be aware of the legal requirements and best practices that come with it! One of these practices is having a data retention policy.

👀 Let’s dive in.

What is a data retention policy?

First and foremost, what is data retention? It refers to data being stored and used for a set period of time, called the data retention period. In short, this period defines how long the data (i.e. an email address, medical file, payroll) will be kept for, before having to be deleted.

data retention policy

The data retention policy is not a standalone “policy” document like the privacy policy in the GDPR understanding. It is more of an internal assessment to define all the following information, for each processing activity:

  • what data is stored;
  • for how long data is stored;
  • where data is stored;
  • what happens to data that is no longer needed.

It is an important part of your business’ internal privacy management, along with keeping track and being able to describe security measures, legal basis for processing, data transfer outside the EU and the parties that you share the data with.

Why do you need a data retention policy?

Your data controller needs to carry out an assessment based on a number of criteria to define retention periods for the categories of personal data that is processed, and then disclose this information to users.

In general, data retention periods can be:

  • mandatory because imposed by a specific law or industry, i.e. a fixed period defined by national legislation, tax, anti-fraud or employment laws; or
  • recommended, i.e.by a country’s data protection authority and act as guidelines for the data controller (such as the guide by the French Data Protection Authority, CNIL).

More than just an internal assessment

💡 Apart from carrying out an internal assessment of your data retention policy, please also note that under GDPR Article 13 you are legally required to disclose retention periods for each of your processing activities!

👋 Sounds complicated? It doesn’t have to be! See how to do it in this section

🇺🇸 California’s CPRA (CCPA amended) that came into force in January 2023, is another strong example. It now requires mentioning the retention period for each category of personal information, including sensitive personal information, in a notice at collection. Businesses are therefore advised to limit personal information’s retention to the shortest amount of time necessary and to the purpose for which it was collected.

Best practices for data retention

Questions to address

You might find useful considering the following questions:

📌 Until when do I really need the data for the business to achieve the initial objective?
📌 Am I legally obliged to keep the data for a certain period of time?
📌 Should I keep certain data to protect myself from a potential issue?
📌 Which data needs to be stored? For how long?
📌 What are the rules for storing or deleting data?

Best practices

Here are some key principles to follow as you build your data retention policy:

✅ Have a precise, legal and legitimate purpose;
✅ Set a precise, time-limited retention period;
✅ Data must be relevant and necessary;
✅ Data must be stored for the shortest time possible;
✅ Data is safe and protected.

What you need to do

Here’s how you can disclose data retention to your users.

Best practice is to include accurate data retention information via your privacy documents, such as your privacy policy.

Here’s how to do this with iubenda:

🚀 Use our Privacy and Cookie Policy Generator to add the technologies you use on your website (i.e. Facebook access);
🚀 Use our Internal Privacy Management tool for defining storage duration for each processing activity;
🚀 Generate your privacy policy with all necessary default disclosures! (See example below)

data retention policy

Easily disclose data retention periods

Get started now