A retention period is the defined timeframe during which personal data or business documents may lawfully be stored. Under the GDPR, personal data must not be kept longer than necessary for the purpose for which it was collected, unless a specific legal obligation mandates extended storage. Different categories of data often have different retention requirements based on applicable legislation.
Establishing and enforcing clear retention periods is a practical necessity for data minimisation compliance. Organisations should maintain a retention schedule that maps each data category to its legal basis and disposal method, and conduct periodic reviews to ensure that expired data is deleted or anonymised in a timely manner.