Data retention concerns the retaining of data, information and records over time to meet business, legal, regulatory, fiscal and archival requirements.
The primary driver for implementing a data retention strategy must always be the business requirements with the fiscal and legal requirements then built into any data retention strategy. Implementing a data retention regime is challenging.
Not only is there a natural privacy conflict between ensuring data is kept as long as is necessary and the Data Protection requirement to keep personal data for no longer than is necessary, but individual countries also operate different data retention regimes to the UK.
Some data retention rules are sector-specific, for example the minimum 12-month retention of communications data rule for telecoms and Internet service providers. This particular requirement is driven by the need for authorities to detect and prevent cyber crime and terrorism. Privacy campaigners are concerned that this kind of retention can be too intrusive into individuals' private lives without appropriate checks and balance in place.
Minimum data retention period
Businesses usually retain their transactional data for at least 7 years in the UK. This figure is based upon the statutory limitation for bringing a case to court - 6 years (see Limitation Act 1980) + 1 year for good measure.
International companies will need to check the data retention requirements in each country within which they operate.
You may need to retain some records may for much longer periods. For example pensions records could be kept for up to 70 years and more.
The key is for the organisation to justify the retention period by implementing a strategy and providing a policy against which the requirements can be measured.