What it Means
GDPR compliance requires a documented data retention policy. A data retention policy is a protocol for retaining information for operational or regulatory compliance needs, with an appropriate retention schedule which permits identification of data subjects for no longer than is necessary. A retention policy offers guidance and provides a framework for employees to manage information across its lifecycle so that the entire organisation complies with the various laws and regulations pertaining to data management.
A retention policy also includes both physical paper and digital formats. Therefore, if based on the retention policy, a digital file is destroyed, and a paper version is not, the guideline is breached. This then potentially impacts compliance with the GDPR along with a number of other industry-wide regulations.
As with many aspects of GDPR, there is no one standard approach or data retention policy that every organisation it depends entirely on the size, scope and activities of each individual company.