Data lifecycle: collection, retention, and destruction
You find a spreadsheet named "clients_2018_final_v3.xlsx" on a network share that nobody dares to delete? That is the classic symptom of a poorly managed lifecycle. Every piece of personal information has a start, a duration, and an end, not an eternity "just in case".
Law 25 principle: collect the minimum necessary, keep only as long as required, then destroy or anonymize at end of life, securely and with documentation.
Collection and quality
Before talking about retention, ask yourself: "Do we really need this field?"
- Clear purpose: sales, support, payroll; each data point must serve a specific goal, not a vague "maybe someday".
- Lean web forms: date of birth, photo, or secondary phone number; if it is not necessary, remove it. Unnecessary complexity is often the enemy of compliance.
- Accurate data: correct or update when you spot an error; a wrong email address for three years is an operational and legal risk.
Retention and destruction
Define a duration per type of information. Common SMB examples: invoices 7 years (tax), rejected CVs 6 to 24 months depending on your policy, login logs according to your security needs. At expiry: secure deletion (shredded paper, wiped drives) or irreversible anonymization if you keep statistics.
However, "we keep everything in the cloud" is not a strategy: it is a growing temporary dump.
Three typical SMB cases
Client records
CRM, emails, billing, support tickets. When the relationship ends: archive what must be kept, then destroy on schedule. Remove access for departing employees; a former sales rep who still sees the client portfolio is a red flag.
Employee records
Payroll, discipline, training, accommodations. Retention is often longer (legal and union obligations). Restrict access to the direct manager, HR, and leadership, not the whole company. Details: HR and privacy.
HR applications
CVs and interview notes: short retention if the person is not hired. Do not reuse the file for another role without explicit consent. An "applications" folder that has been growing for ten years is not something the CAI appreciates.
In brief
Document your retention periods in a policy or register; one page is often enough for an SMB. Broader framework: governance and policies. Then align your tools (CRM, HR, shared drives) with what you wrote, not the other way around.
Useful references
- CAI, Protection of personal information: proportionality and retention principles.
- Act P-39.1 (private sector): legal framework for the data lifecycle.
- Governance and policies: where to document retention periods.
This text is for information only and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.
Check your website
Several obligations show up on your public site (policy, cookies, privacy officer contact details). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.