A data retention policy defines how long your organisation keeps different categories of data and when that data must be deleted. Under GDPR, you may not store personal data longer than necessary for its original purpose. For AI startups, this also covers training data, user interaction logs and model outputs.
How to create one:
- Categorise your data: List all data types you store — customer data, employee data, AI training data, logs, analytics, backups. Group them by purpose and sensitivity.
- Define retention periods: For each category, determine how long you need it. Some have legal minimums (e.g. financial records: 7 years) while most personal data should be deleted when no longer needed.
- Automate deletion: Set up automated cleanup jobs or retention rules in your database and cloud storage. Manual deletion does not scale and is error-prone.
- Handle exceptions: Define a process for legal holds (when data must be preserved for litigation) and data subject deletion requests (GDPR right to erasure).
- Review annually: Retention needs change as your product and legal landscape evolve. Schedule a yearly review.
The Dutch Data Protection Authority provides guidance on the right to erasure and retention. Tidal Control helps you document retention schedules and link them to your processing register for a complete audit trail.