Data lifecycle: collection, retention, and destruction

You find a spreadsheet named "clients_2018_final_v3.xlsx" on a network share that nobody dares to delete? That is the classic symptom of a poorly managed lifecycle. Every piece of personal information has a start, a duration, and an end, not an eternity "just in case".

Law 25 principle: collect the minimum necessary, keep only as long as required, then destroy or anonymize at end of life, securely and with documentation.

Collection and quality

Before talking about retention, ask yourself: "Do we really need this field?"

Retention and destruction

Define a duration per type of information. Common SMB examples: invoices 7 years (tax), rejected CVs 6 to 24 months depending on your policy, login logs according to your security needs. At expiry: secure deletion (shredded paper, wiped drives) or irreversible anonymization if you keep statistics.

However, "we keep everything in the cloud" is not a strategy: it is a growing temporary dump.

Three typical SMB cases

Client records

CRM, emails, billing, support tickets. When the relationship ends: archive what must be kept, then destroy on schedule. Remove access for departing employees; a former sales rep who still sees the client portfolio is a red flag.

Employee records

Payroll, discipline, training, accommodations. Retention is often longer (legal and union obligations). Restrict access to the direct manager, HR, and leadership, not the whole company. Details: HR and privacy.

HR applications

CVs and interview notes: short retention if the person is not hired. Do not reuse the file for another role without explicit consent. An "applications" folder that has been growing for ten years is not something the CAI appreciates.

In brief

Document your retention periods in a policy or register; one page is often enough for an SMB. Broader framework: governance and policies. Then align your tools (CRM, HR, shared drives) with what you wrote, not the other way around.

Useful references

This text is for information only and does not constitute legal advice. For a decision that binds your organization, consult the CAI and a legal professional.

Check your website

Several obligations show up on your public site (policy, cookies, privacy officer contact details). Our free technical scan helps spot observable gaps. It complements, but does not replace, your compliance program.