Document Retention

• Author: David Zetoony
• Profession: Is a partner in the Boulder, Colorado office of Bryan Cave Leighton Paisner, LLP, an international law firm
• Pages: 71-73

71

DocUMent

RetentIon

Q.73 WHAt Is “DAtA MInIMIzAtIon”?

The term data minimization refers to the following two requirements

within the GDPR: (1) a company should only collect personal data that is

“necessary” in relation to its purpose and (2) a company should keep data

for “no longer than is necessary for [that] purpose[].”164 Put differently, a

company should only collect what it needs, for as long as it needs it.

Q.74 Do ALL coMpAnIes neeD to IMpLeMent

A RecoRDs RetentIon poLIcy?

Not necessarily.

A record retention policy typically discusses the obligation for

employees either to keep certain types of documents within an

organization for a particular length of time or to destroy certain types

of documents after a particular length of time. Such policies may also

discuss how documents should be destroyed (e.g., shredding, degaussing,

etc.) and attach a schedule indicating the length of time that applies to

various document categories or types.

Although some companies nd that a records retention policy and/or a

records retention schedule are useful to help document their efforts toward

data minimization, the GDPR does not mandate that a company adopt a

formal policy or schedule, and many companies nd that they can achieve

compliance through other means. For example, some companies memori-

alize how long they intend to keep personal data when conducting a data

inventory or completing a data register. Furthermore, many structured

electronic systems allow companies to select data retention time periods on

a granular level (e.g., by individual data elds) within the data system itself.

164. GDPR, Article 5(1)(c), (e).