Data Retention: Why Less is More

Tuesday 7th March 2023

In November last year, France’s Data Protection Authority fined Discord €800,000 for GDPR violations, mostly concerning data retention.

As mentioned in the Winter Edition of our Privacy & Data Snapshot, this underlines the importance of data retention and not keeping data for longer than is necessary.

Where Discord went wrong

Retention Periods: Discord was found to be keeping user data such as email addresses and phone numbers beyond what was necessary for the platform to provide its services. Specifically, Discord retained personal data on more than 58,000 accounts which had not been used for over five years.

Critically, Discord had not implemented a data retention policy at the time of the investigation. Data protection laws do not specify set retention periods, but do require that organisations are able to justify their decision to retain data – it is near impossible to do this without a written record.

Privacy Policy: Discord failed to provide users with adequate information on how long their personal data would be kept. Under the UK GDPR, organisations must provide clear information about the processing of their personal data, including the retention periods for each category of data, or at the very least the criteria used to determine that period.

Discord’s privacy policy stated it retained data ‘for as long as necessary for the processing purposes defined in this document’. As there was no specific periods or criteria listed in the policy, this was found to be too generic. We are seeing more and more cases where privacy policies are deemed by supervisory authorities to not contain the level of detail expected under data protection laws to give sufficient transparency to individuals.

Adopting a best practice approach

By being proactive about data protection compliance, organisations can avoid falling foul of the rules around data retention by taking the following steps:

  1. Know your data. Maintain a written record of processing activities (ROPA) to understand what data is processed, and where data is flowing to and from.
  2. Internal policies. Set retention periods for different types of data. This is usually done through a ‘retention policy’ that outlines the types of data the organisation processes, how long it should be kept, and what happens once the retention period has passed.
  3. Technical implementation. When it comes to implementing retention policies, IT and technical teams play a critical role in ensuring data is disposed of properly. These teams can help by writing scripts and automating data deletion, which involves putting in place automated processes that erase data from certain folders or databases based on the retention periods that have been set. Engaging these teams helps to guarantee that retention policies are consistently enforced.
  4. Transparency. There is a legal obligation to inform individuals how long an organisation plans to keep their data for. Organisations should review their privacy policies and determine whether they provide a sufficient amount of information on this – generic phrases such as “we keep your data for as long as necessary” should be avoided.

How long you should keep data for

How long is a piece of string? The lack of specified retention periods under data privacy laws makes compliance tricky. Organisations are responsible for choosing, outlining, and justifying retention periods, whilst also making sure that these periods are not set for any longer than is necessary.  Some key factors to consider are statutory limitation periods for legal claims, and accounting and tax reporting requirements.

How we can help

We can support your organisation with all aspects of data retention problems that arise – from drafting internal policies to providing guidance on appropriate retention periods, to supporting on data subject erasure requests. Should you need any support, get in touch with one of our Data Privacy experts by clicking here.