The underlying principle of GDPR is that everything which is done with data needs to be done mindfully. This holds true right from the point of collection, through processing and, ultimately, to the decision as to whether or not to retain data and if so under what conditions. This principle is great as a principle, but in practice it can be a whole lot more complicated than it sounds.
Complexity Is The Enemy Of Execution But Done Is Better Than Perfect
Obviously, you want your data-retention strategy to be as good as it can possibly be, but done is better than perfect, at least in the short- to medium-term. In other words, if you at least start the ball rolling, then you can keep improving what you already have until you eventually achieve perfection, or as close to it as you can get.
Digital documents are usually much easier to manage than paper ones If you still have a whole stack of paper documents on your premises, then now is the time to tackle the paper mountain. Even if you need to keep the paper documents for legal purposes (which is now increasingly rare), you still want digital copies of them, just in case.
These days, however, that is much more likely to be the exception than the rule, which means that digitizing documents will allow you to get rid of the paper ones, which brings all sorts of additional benefits.
Consider Starting By Implementing An Effective Archiving Process
Your IT department probably hopefully backs up your data, but essentially all this means is that they take a copy of it as it stands at a specific point in time so that they can restore to that point should the need arise.
Effective archiving containerizes data, indexes and/or tags it and makes it both searchable and retrievable. In other words, you need a decent archiving system in place so you know what you have and where, which is a pre-requisite to knowing how long it has been stored.
Consider Pseudo-Anonymizing Data, Especially If You Are Holding It For Longer Periods
Data-protection regulations apply to personal data. This means that, in principle, you can ignore them if you have fully anonymized any data that you keep, although in practice it can be quite a challenge to anonymize data to the extent needed to keep technology and privacy regulators happy.
Pseudo-anonymized data is still considered personal data and hence all standard rules continue to apply. However, the risks involved with keeping it are substantially reduced. This is a fact which not only makes it less likely that you will be exposed to a breach but also means that you may have less of a regulatory and reputational management issue if you do.
Remember That A Data Regulator Will Probably Appreciate Evidence Of Reasonable Thought
The role of a data-protection regulator is to make sure data guardians take their responsibilities seriously. If you can demonstrate that you have put thought into your data-retention strategy, then you increase your chances of being shown leniency in the event of a breach. This is true even if the data-regulator ultimately decides that you should not have acted in the way you did.