Retention Impact Assessment

Overview

A Retention Impact Assessment (RIA) is a structured evaluation conducted before commencing new processing activities (or significantly changing existing ones) to determine the appropriate retention period for personal data. The RIA ensures that retention periods are set proactively — by design — rather than retroactively after data has accumulated without defined limits. Under GDPR Article 25, data protection by design requires that storage limitation is considered at the design stage of any processing activity. This skill provides the assessment methodology, regulatory scanning framework, proportionality analysis, and documentation template for determining and justifying retention periods.

Legal Foundation

GDPR Article 5(1)(e) — Storage Limitation

Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

GDPR Article 25 — Data Protection by Design and by Default

The controller shall implement appropriate technical and organisational measures designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing. This includes proactive determination of retention periods before processing begins.

GDPR Article 35(7)(d) — DPIA Content

Where a Data Protection Impact Assessment is required, it must include the envisaged processing operations and the purposes, including where applicable the legitimate interest pursued (Art. 35(7)(a)), and an assessment of the necessity and proportionality of the processing operations (Art. 35(7)(b)). Retention period determination is a core element of the necessity and proportionality assessment.