10) Does your organisation have a Records Retention Policy?
GDPR Records Retention Policy
Written by Haydn Brooks
Created on March 18, 2019
Modified on October 12, 2020

Answer yes if your organisation has a Records Retention Policy that has been reviewed in the last year. Please upload your Records Retention Policy (as a PDF file) as evidence.

A Records Retention Policy is a policy that defines how long data items must be kept and provides disposal guidelines for how data items should be discarded. This is important to ensure that data is only kept for as long as the business needs to keep it and to ensure it is disposed of correctly.

The Records Retention Policy may be included as a section in your Data Privacy Policy or Information Security Policy.


Risk Ledger have included a Records Retention Policy within its template Information Security Policy. The template can be taken and adapted to suit your organisation.

The template policy for a small organisation can be requested at info@riskledger.com.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.