Executive Summary
Data retention is the bridge between collection and deletion. Section 8(8) requires deletion when data is no longer necessary for the purpose of collection. Implementing this requires defined retention periods, enforcement mechanisms, and exception handling. This guide addresses practical retention policy implementation.
Key Takeaways
- 1Define retention periods for each data category based on legal requirements and business necessity
- 2Implement automated enforcement where possible to ensure consistent application
- 3Address the gap between policy and practice in backup and archive systems
- 4Document retention decisions including the reasoning behind chosen periods
- 5Review and update retention schedules as requirements change
1Understanding Retention Obligations
Section 8(8) requires erasure of personal data when it is no longer necessary for the purpose of collection or when the Data Principal withdraws consent. This creates a ceiling on retention: data cannot be kept indefinitely. However, other laws may create retention floors: minimum periods data must be kept for legal or regulatory purposes.
2Developing the Retention Schedule
A retention schedule specifies how long each data category should be retained.
Inventory Data Categories
List all categories of personal data processed by the organisation. Use the data inventory as a starting point.
Identify Legal Requirements
For each category, research mandatory retention periods under applicable laws. Tax records, employment records, and transaction records often have specific statutory retention requirements.
Assess Business Necessity
Where no legal requirement applies, determine how long data is actually needed for the purpose of collection. This should be genuinely necessary, not merely convenient.
Set Retention Periods
For each category, define the retention period. Where legal requirements exist, retention must be at least that long. Where DPDPA purpose limitation applies, retention should not exceed necessity.
Document Rationale
Record the reasoning behind each retention period. This supports compliance demonstration and facilitates future review.
Practical Tips
- •Create categories at appropriate granularity; too broad makes different requirements hard to manage, too narrow becomes administratively burdensome
- •Consider industry standards and peer practices as guidance for reasonable periods
3Technical Implementation
Policy is meaningless without enforcement. Technical measures ensure retention policies are actually applied.
Retention Tagging
Implement mechanisms to tag data with applicable retention periods at collection. Metadata should indicate when data becomes eligible for deletion.
Automated Deletion
Configure systems to automatically delete data when retention periods expire. Automation reduces reliance on manual action and ensures consistent application.
Deletion Verification
Implement processes to verify deletion occurred. Audit logs should confirm that scheduled deletions completed successfully.
Hold Capabilities
Build in the ability to suspend deletion when data must be preserved for litigation or investigation. Holds should be specific and time-limited.
Important Warnings
- •Unstructured data is harder to manage than structured databases; plan specifically for documents, emails, and files
- •Legacy systems may not support automated retention; manual processes may be needed as interim measures
4Backup and Archive Management
Backup systems complicate retention because they are designed to preserve data.
Backup Retention Alignment
Align backup retention periods with data retention periods where feasible. Backups should not outlive the data they contain.
Granular Deletion Capability
Where possible, implement capability to delete specific data from backups rather than retaining entire backup sets.
Lifecycle Management
If granular deletion is not feasible, manage retention through backup lifecycle. Document that data will be deleted when backup sets expire.
Archive Review
Periodically review archived data against retention schedules. Archives often contain data that should have been deleted.
5Exception Management
Some data will need to be retained beyond standard periods.
Legal Holds
When litigation or regulatory investigation arises, implement holds that preserve relevant data regardless of normal retention periods.
Regulatory Requirements
Where regulators require specific data preservation, document the requirement and apply extended retention.
Business Justification
Exceptional business needs may justify extended retention. Document the justification and limit extension to what is genuinely necessary.
Exception Review
Periodically review active exceptions. Holds and exceptions should not become permanent; release when the basis no longer applies.
6Governance and Review
Retention policies require ongoing governance to remain current and effective.
Periodic Review
Schedule regular review of the retention schedule. Legal requirements change, business needs evolve, and policy should keep pace.
Compliance Monitoring
Audit whether retention policies are being followed. Sample data to verify deletion is occurring as scheduled.
Stakeholder Communication
Ensure relevant stakeholders understand retention policies and their obligations. IT, legal, records management, and business units all have roles.
Update Procedures
Establish procedures for updating retention schedules when requirements change. Changes should follow defined approval processes.