Today, companies across all industries rely on data retention policies to protect the personal information of their stakeholders and ensure regulatory compliance.

This article looks into what data retention policies are and highlights their benefits. It also outlines a three-step process that will help you develop an effective data retention policy for your business.

What is a data retention policy?
How long should I store personal data?
What are the 3 steps to developing an effective data retention policy?
What are the benefits of a data retention policy?
How Penneo retains data

 

What is a data retention policy?

A data retention policy is a set of guidelines that outlines how long companies should keep each type of personal data. Every data retention policy should include:

  • the types of personal data that the organization collects
  • the processing purposes for each type of data
  • the different retention periods
  • how to get rid of the information when it’s no longer necessary

 

How long should I store personal data?

All businesses that collect, use, and store the personal information of individuals in the EU must comply with the data retention requirements set out in the GDPR. This means they need to delete or anonymize data as soon as it no longer serves its processing purposes.

Accordingly, if you only need the personal information of a staff member during their employment, you must dispose of their data when they leave the company.

However, certain businesses are subject to additional legal requirements for data retention. Hence, they should keep the data for as long as the law requires them.

For example, entities subject to Anti-Money Laundering laws such as banks, lawyers, and accountants are legally required to store all due diligence data for five years from the end of a business relationship or occasional transaction.

So, next time you’re in doubt about how long to store personal data, keep in mind that:

  • you should never store data just because it might come in handy one day
  • you need to be aware of all the national and EU laws that apply to your company and retain personal data accordingly
  • under the GDPR, you must erase personal data as soon as it outlives its processing purposes

 

What are the 3 steps to developing an effective data retention policy?

To develop an effective data retention policy for your business, follow the steps below:

1. Identify the types of data that your company holds

Start by listing all the types of data that your company processes, such as names, home addresses, phone numbers, IPs, emails, and credit card details.

Next, describe the legitimate reasons for collecting each type of data. For example, verifying a person’s identity or granting free trials to potential customers.

2. Set the appropriate retention periods for each type of data

While the GDPR does not mention specific retention periods for personal data, it clearly states that organizations shouldn’t keep data longer than they need it.

Thus, it is up to the companies to set appropriate retention periods for each type of information based on the data processing purposes and the company’s legal obligations.

For example, documents collected during the KYC process must be stored for five years from the end of a business relationship or occasional transaction.

Since data retention policies document the purposes for data processing and take into account legal requirements, you can use them to demonstrate your compliance.

3. Specify the disposal method for each type of data

When data becomes redundant, you have to dispose of it either by deleting or anonymizing it in a way that makes it impossible to recover afterwards.

In the case of data stored on cloud-based solutions, the provider has to carry out the erasure. Therefore, it is crucial to choose compliant software providers when subcontracting the processing of personal data.

 

What are the benefits of a data retention policy?

The three main benefits of a data retention policy are:

Reduced exposure in case of a data breach

In today’s digital world, every business is a potential target for cybercrime. Hackers will spare no effort to get their hands on valuable personal data and exploit it for financial gain. Therefore, keeping data for longer than necessary poses a significant security risk. After all, the more data you have, the more data to worry about.

Just look at all the companies that have been the victims of cyberattacks over the past few years. An example is the software company Adobe which suffered one of the most significant data breaches of the 21st century. Over 150 million user records were stolen, and Adobe had to pay a $1 million settlement to 15 states for the data breach.

Besides causing financial loss, data breaches can seriously damage a company’s reputation and disrupt business processes.

An effective data retention policy is a crucial line of defense against cybercrime. By deleting or anonymizing unnecessary data, you significantly reduce the potential damage that a hacker could cause.

Storage optimization and reduced costs

One of the primary challenges for businesses that store large amounts of data is cost. Ongoing server maintenance and document handling are costly and time-consuming activities.

By deleting the data you no longer need, you can optimize data storage and significantly reduce costs.

Compliance with data retention laws and regulations

Improper data retention can result in hefty fines. Deleting records that you are legally required to keep for a certain period can get your company in trouble.

Unfortunately, this led to many employees keeping information to be on the safe side, unaware that storing data for longer than necessary violates the GDPR’s requirements.

A data retention policy instructs your employees how long they should store each type of data depending on its processing purposes and the company’s legal obligations. No more second-guessing – employees will know precisely when they need to delete the data.

 

How Penneo retains data

Penneo SignPenneo Sign is a digital signing solution that stores data and documents until the customer or user deletes them or requests Penneo to delete them. Data retention is included in the subscription price for the Penneo Sign platform for 5 years. All the information and files stored in the system are encrypted to prevent unauthorized access.

After the termination of a contract, Penneo keeps all the customer’s data for an additional 90 days and then deletes it. During this period, the customer can request the anticipated deletion of the data.

If you want us to delete your data, you can submit a request here. Our support team will acquire the necessary information, and we will fulfill the request within a week.

When a customer asks Penneo to delete their data, the record will be flagged for deletion in the database. Data flagged for deletion will be permanently deleted within 60 days of being flagged. For security reasons, permanent data deletion can only be carried out by at least two Penneo employees.

Penneo Sign also allows customers to easily schedule the data for automatic deletion by selecting:

  • when should the system send the files to the recycle bin (default is 30 days after completion)
  • when should the system empty the recycle bin (default is 30 days after completion)

All Penneo customers can obtain an audit opinion to check if their data has been deleted from our system.


Penneo KYC Penneo KYC is an AML compliance software that stores all due diligence data for 5 years from the end of a business relationship or occasional transaction. At the end of the period, the system automatically deletes the data.

All data stored in Penneo KYC are end-to-end encrypted, so only authorized people can access it.

If you're looking to learn more, we have a few suggestions for you

EU unveils ambitious AML package

EU unveils ambitious AML package

AML and Industry Predictions for Auditors and Accountants in 2024

What to Expect From 2024: AML and Industry Predictions for Auditors and Accountants

AML-compliant risk assessments of customers

How to Perform AML-Compliant Risk Assessments and Risk Classifications of Your Customers