Why, Retention of Personal Data in SMEs?
The retention of personal data in SMEs is often treated as a mere administrative formality. In practice, it is a decision concerning governance, risk and operational efficiency. Many organisations collect data easily, use it in various processes and store it for years without a clear rationale. The problem is that, in the context of the GDPR, keeping data “because it might be useful one day” is not a valid criterion.
The principle of storage limitation requires that personal data be retained only for as long as is necessary for the purposes that justified its collection. This means that the company needs to be able to answer simple but crucial questions: why are we keeping this data? how long do we need it for? what happens when that period ends? who decides? how do we prove that the rule is being applied?
For many SMEs, this is one of the areas where compliance fails not through bad faith, but through a lack of method. There are human resources files that have accumulated over the years, commercial databases containing old contacts, CVs stored without any criteria, outdated newsletter lists, backups that perpetuate unnecessary information, and internal applications where no one knows exactly what data is stored, for how long, or on what grounds.
Defining a retention policy is not just about “complying with the GDPR”. It serves to reduce risk, improve internal control, facilitate responses to data subjects’ requests, minimise exposure in the event of a data breach, and better organise information systems. An SME that knows what it holds, why, and for how long is far better prepared to demonstrate accountability than an organisation that accumulates data indefinitely.
In this article, we explain how to build a practical approach to personal data retention in SMEs, without unnecessary red tape, but with sufficient rigour to be operational, auditable and aligned with the reality of the business.
Why is data retention so important under the GDPR
When it comes to privacy, many companies focus on obtaining consent, privacy policies or contracts with processors. All of this is important, but retention is where compliance truly comes into its own. This is where the organisation demonstrates whether it can control the information lifecycle.
Storing data for longer than necessary increases risk on several fronts. Firstly, it increases the attack surface. The more data there is and the longer it remains in systems, the greater the potential impact of a security incident. Secondly, it makes it difficult to manage data subjects’ rights, as the company ends up with information scattered across multiple systems, duplicated and out of date. Thirdly, it creates operational inefficiency, as teams work with irrelevant records, old versions and information that should no longer be available.
There is also a reputational dimension. A company that cannot justify why it retains certain data conveys an impression of disorganisation, immature governance and weak internal control. On the contrary, an SME with clear retention criteria demonstrates responsibility, proportionality and discipline.
The retention of personal data in SMEs should therefore be seen as part of the privacy management system and not as an isolated task for the legal or IT department.
The most common mistake: confusing storage with necessity
The most frequent mistake in SMEs is to assume that, because digital storage is cheap, keeping data costs nothing. It does. And the cost is not just technological. It is legal, organisational and reputational.
Many companies keep data because “it might be needed”, “you never know”, “we’ve always done it this way” or “deleting it is a hassle”.
These justifications are not sufficient. The GDPR requires necessity, proportionality and purpose. The fact that the information might be useful in the future does not, in itself, justify its indefinite retention.
Another common mistake is using a single generic retention period for everything. For example, deciding that “we keep all data for 10 years” may seem simple, but it is usually wrong. Different categories of data, in different processes, have distinct purposes, different legal bases and specific sectoral requirements. It makes no sense to apply the same rule to CVs, billing data, business contacts, technical support records and CCTV footage.
An effective policy does not need to be complex, but it must distinguish between processing contexts.
The starting point: mapping purposes, categories and obligations
No serious retention policy is devised on the fly. The starting point is the work that an SME should already have begun in the previous article in this series: mapping processing activities.
For each process involving personal data, the company must be able to identify:
- What the purpose of the processing is.
- Which categories of data are involved.
- Who the data subjects are.
- What the applicable legal basis is.
- Which systems or repositories store this data.
- Whether there are any legal or regulatory obligations imposing a minimum retention period.
- When there is no longer an operational need to retain the information.
- What happens when the retention period ends: deletion, anonymisation, blocking, restricted archiving or another controlled measure.
Without this exercise, retention ends up being defined by habit rather than by criteria.
How to set retention periods in a practical way
A good approach to personal data retention in SMEs does not start by asking “how many years?”. It starts by asking “until when does this purpose make sense?”.
1. Define the purpose clearly
The purpose must be specific. “Commercial management” is too vague. “Management of proposals and pre-contractual contacts” is better. “Payroll processing”, “recruitment”, “customer management”, “compliance with tax obligations”, “sending newsletters”, “complaints management” are more practical examples.
The clearer the purpose, the easier it will be to understand when it ends.
2. Identify the basis for retention
Not all data is retained for the same reason. In some cases, retention stems from a legal obligation. In others, it is necessary for the performance of a contract. In certain situations, it may be based on a legitimate interest that has been properly assessed. In specific contexts, it may depend on consent.
This distinction is important because the retention period may vary depending on the basis. Data retained due to a legal obligation does not follow the same logic as data kept for marketing purposes.
3. Distinguish between active retention periods and archiving periods
Data does not always cease to be necessary the moment the main process ends. There may be an additional restricted archiving period for the defence of rights, litigation management, regulatory compliance or demonstration of compliance.
This does not mean keeping the information ‘active’ in operational systems. It means, where justifiable, restricting access, limiting use and documenting the reason why the data continues to exist.
4. Establish criteria, not just numbers
Sometimes, the best criterion is not a fixed date, but an event.
For example: “until the end of the contractual relationship and for the additional period required by applicable legal obligations” or “until the recruitment process is closed, unless valid consent is given for future retention for a defined period”.
The criteria can then be operationalised in internal rules, retention schedules and system settings.
Practical examples in an SME context
Recruitment and selection
CVs received for a specific vacancy should not be kept indefinitely. The company must define the timeframe required to conduct the recruitment process, respond to any queries and finalise the decision. If it wishes to retain the CV for future opportunities, it must have adequate grounds and inform the candidate transparently.
Here too, it is important to avoid duplication: CVs in emails, on the manager’s laptop, in a shared folder and on an external platform. A retention policy without strict control over storage locations loses its effectiveness.
Customers and invoicing
Data processed in the context of the contractual relationship with customers may need to be retained for operational and legal reasons. But this does not mean that everything must remain accessible in the same way and for the same period. Data used to provide the service, data required for invoicing, support data, commercial history and marketing communications may have different retention policies.
The company must distinguish between what it needs to perform the contract, what it needs to comply with legal obligations and what it retains merely for convenience.
Marketing and newsletters
An out-of-date marketing database is a classic risk. Old contacts, with no interaction for long periods, of unclear origin or without proper segmentation, should be reviewed. Retention in this area must consider the relationship with the data subject, the reasonable expectation of contact, the origin of the data, the legal basis and signs of inactivity.
More important than “never deleting” is defining when to review, when to revalidate and when to remove.
Human resources
HR processes combine various types of data: identification, contractual data, attendance, remuneration, performance reviews, training, occupational health in specific contexts and administrative details. Not everything has the same sensitivity, the same permitted access or the same retention period.
Retention in this area must be particularly strictly regulated, as an excess of information in files relating to employees or former employees can create high and unnecessary risks.
What a retention policy should include
A retention policy does not need to be a long document. It needs to be clear, enforceable and consistent with the reality of the company.
It should include, at a minimum:
- the policy’s objective;
- the scope of application;
- the principles used to define retention;
- those responsible for decision-making, review and implementation;
- the retention schedule by process or category of processing;
- the rules for deletion, anonymisation, blocking or archiving;
- coordination with backups, legacy systems and physical media;
- the periodic review process;
- the link to the record of processing activities and information security policies.
The most important thing is that the policy is not disconnected from operations. A perfect table in Word is of little use if the systems continue to retain everything indefinitely.
Backups, copies and forgotten systems: the part that almost everyone overlooks
One of the most critical issues regarding the retention of personal data in SMEs is the gap between the formal rule and technical reality. A company may decide to delete certain data after a set period, but it remains in backups, exported files, local drives, email inboxes, legacy applications or shared folders.
This does not mean that every technical copy is automatically unlawful. It does mean, however, that the organisation must understand where the data resides, what the technical limitations of immediate deletion are, and how to mitigate the risk whilst complete removal has not yet taken place.
This is where collaboration between privacy, IT, operations and business units becomes essential. Retention is not merely a documentary decision; it is an operational capability.
How to implement without creating unnecessary bureaucracy
For an SME, the aim should not be to create a cumbersome model. It should be to create a model that works. A realistic approach can follow five steps:
First, choose the priority processes: HR, customers, marketing, invoicing and suppliers, for example.
Second, build a simple table setting out the purpose, data category, legal basis, retention period, review criteria and final destination.
Third, validate this table with those who understand the operation and those who manage the systems.
Fourth, adjust procedures and settings where possible.
Fifth, review periodically and handle exceptions in a controlled manner.
With this method, the company does not attempt to resolve everything at once, but begins to build a defensible logic for information governance.
Warning signs that your SME needs to review its retention policy
There are several clear signs that the retention of personal data in SMEs is out of control:
The company cannot explain why it retains certain data.
There are old files with no defined owner.
The same data exists across multiple systems and folders.
Requests for deletion or access are difficult to fulfil.
Very old business contacts are still active on the lists.
CVs are stored without any criteria.
Email inboxes function as permanent archives.
Backups have never been assessed from a privacy perspective.
There is no retention schedule associated with the record of processing activities.
If two or three of these signs are present, there is already sufficient grounds for a structured review.
Conclusion
The retention of personal data in SMEs does not have to be a cumbersome, legalistic exercise detached from day-to-day operations. It should be a good management practice. When a company sets clear timeframes, documents criteria and consistently enforces rules, it gains control, reduces risk and improves its privacy maturity.
The aim is not to delete for the sake of deleting. It is to retain what is necessary, for the appropriate period, and with a clear rationale. This discipline helps ensure compliance with the GDPR, but it also helps businesses operate more effectively: less noise, less duplication, less exposure, more trust.
At iPrivacy.eu, we help SMEs transform abstract data protection rules into concrete, proportionate processes that can be applied in day-to-day operations. A well-designed retention policy is one of the pillars of this transformation, because it shows that the organisation does not merely collect data: it knows how to manage it throughout its entire lifecycle.
Next Steps
Does your company know what data it holds, why, and for how long?
iPrivacy.eu can help you create or review your retention policy, align your record of processing activities, and turn GDPR obligations into simple, auditable procedures.
FAQ (Frequently Asked Questions)
What is the retention of personal data in SMEs?
It is the set of rules that specifies how long an SME may retain personal data, for what purposes, and what must happen when the retention period expires.
Does the GDPR require all data to be deleted promptly?
No. The GDPR does not require immediate deletion in all cases. It requires that data be retained only for as long as necessary and on appropriate grounds.
Can an SME keep data “just in case it might be useful”?
As a general rule, no. Generic future utility is not a sufficient criterion. The company must justify the retention on the basis of a specific purpose, a genuine need and a valid justification.
Does the retention policy have to cover all systems?
It must cover all relevant contexts where personal data is held, including applications, files, emails, physical media and, where applicable, backups and archives.
Does the retention of personal data in SMEs depend on the sector?
Yes. Although there are common general principles, certain deadlines and obligations depend on the sector, the type of activity and the applicable legal framework.
