It’s not uncommon to hear about businesses storing large volumes of personal data. There are endless reasons as to why personal data may be collected and processed, such as to build user profiles in order to send targeted products and services. However, many businesses fail to consider what should be done with the data once it has served its purpose, without negatively influencing their reputation and infringing upon a data subjects’ rights.

This blog will help you understand the importance of data retention, as well as how long personal data should be stored and the consequences of holding onto data for longer than necessary.

What is data retention?

Data retention is the practice of storing files or documents for a specific period, or indefinitely, due to compliance or business-related reasons. Any time your business saves data you are technically retaining it. The general principle around data retention is that data should only be kept for as long as it is necessary. Although Canada does not provide set retention periods for data, it does require businesses to look at statutory requirements and implement retention schedules that are justified under business needs. For example, businesses holding information on an employee’s health for the duration of their employment would be deemed appropriate but would need to be erased once the employee leaves.

Personal data can only be held for longer than a specified period so long as the data is processed for archiving in the public interest, statistical purposes, scientific or historical research. Only keeping data for as long as it is necessary, yet this area is largely overlooked by businesses as deleting vast amounts of data can be time consuming and they may still consider the information a business asset.

It’s important that businesses demonstrate data retention practices according to specific industry regulatory requirements. For example, organizations that accept credit card payments, or handle sensitive data relating to health information, must establish and adhere to PCI DSS and HIPAA data retention policies, respectively. This ensures that personal data is only stored for a period of processing and is then destroyed once it no longer serves a meaningful purpose to the organization.

All businesses are required to be aware of data erasure exercises that give individuals the right to have their personal data purged if the data is no longer being processed for the reasons it was originally collected. This can be carried out via manual or automated means. It is one thing to create a data retention schedule or policy but is another job to implement it.

Why are data retention policies important?

Implementing and following data retention policies are important in helping businesses organize and manage their data, keeping the data safe, and demonstrating that their data management is in accordance with industry standards and the law. Organizations without a data retention policy, or those with little understanding of data retention, are more likely to be exposed to financial and legal consequences, as well as data breaches, for over-retention of data.

Practice what you preach

Here are a few things to consider if your business stores personal data:

  • If data does not need to be held for any legal purposes, or does not add business value, ensure that you securely dispose of it
  • Data that you hold should be periodically reviewed, and erased if no longer needed
  • Understand where data is held to ensure that it is fully disposed of
  • Respond to data subject access requests for any personal data you hold
  • Outsource the role of destroying data through automated means as this is a systematic way of ensuring data is erased



Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.