Learn / Data retentionData retention policy: how long can you keep personal data?
GDPR's storage-limitation principle says you may keep personal data only as long as you actually need it. A data retention policy turns that principle into concrete schedules — and defensible, provable deletion when the clock runs out.
The principleStorage limitation, in plain terms.
GDPR Article 5(1)(e) requires that personal data be kept in a form that permits identification of individuals for no longer than is necessary for the purposes it was collected for. In other words: once you no longer need the data for a legitimate purpose, you are supposed to delete or anonymize it.
There is no universal number of years. 'How long is too long' depends on the purpose, the legal basis, and any overriding legal obligation to keep records — tax, employment, and financial rules commonly set their own minimum retention periods that sit on top of the privacy default.
The warehouse problemRetention is hardest in the data warehouse.
In a transactional database, retention can be a scheduled DELETE. In an analytics warehouse it is far messier: the same record has been copied into staging tables, joined into marts, exported to dashboards, and captured in backups and time-travel windows. Deleting the source row leaves the copies behind, so the data is not really gone when your policy says it should be.
This is why retention and the right to erasure are the same engineering problem. Both require you to reach every copy of a person's data and produce evidence that it is gone. Crypto-shredding solves both at once: encrypt personal fields on write, and when a retention period or an erasure request lands, destroy the key so every copy — including the ones in backups — becomes unreadable in a single, provable step.