- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
GDPR compliance in white label banking
July 21, 2025
Privacy Management Platforms: A practical guide for strengthening privacy operations
August 18, 2025
In this blog, we explore how organisations can manage CRM data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed. responsibly and compliantly under the General Data Protection RegulationRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). (GDPR).
Customer Relationship Management data is a goldmine for powering sales and marketing. But with every new contact or campaign, the risk of non-compliance with data protection laws (such as the GDPR) increases. If data retentionIn data protection terms, a defined period of time for which information assets are to be kept. processes are not effectively managed, CRM systems can quickly become a liability. From over-retaining customer data to relying on legacy systems or navigating conflicting legal requirements across jurisdictions, many businesses struggle to implement effective retention schedules that meet both operational needs and regulatory requirements.
Drawing on the discussions in our recent webinar, LET IT GO: CRM Data Retention and GDPR Compliance, we explain here how to balance legal obligations with commercial goals and offer practical guidance on building a data retention policy that supports both.
With real-world insights from Paul Griffiths (DPO at The DPO Centre), Wanne Pemmelaar (CEO and Founder of filerskeepers), and Agnes Marti-Voltas (Customer Success Manager at HubSpot), we explore:
- What does a healthy CRM look like?
- What is the biggest challenge companies face with data retention?
- How do you know when data is no longer relevant?
- Who should decide what data gets deleted or retained?
- What role should CRM providers play?
- Can AI support better CRM data retention?
It’s not about how much data you hold – it’s about how well that data serves your business. A healthy CRM prioritises quality over quantity: it contains up-to-date, accurate, and purposeful information that supports effective sales, marketing, and customer engagement without introducing unnecessary risk. That means regularly auditing systems, clearly recording lawful bases for processing, and removing outdated or irrelevant entries.
If information no longer provides a clear benefit, it may be time to consider whether it still needs to be retained.
Agnes Marti-Voltas, HubSpot: ‘A healthy CRM is not just about what’s stored — it’s about relevance, accuracyIn data protection terms, the concept of ensuring data is not incorrect or misleading. and transparency. You need to track legal basis, audit access, and regularly cleanse the system to stay GDPR compliant.’
Wanne Pemmelaar, filerskeepers: ‘Data quality is essential in order to grow your business and maintain healthy relationships with your customers.’
What is the biggest challenge companies face with data retention?
When it comes to letting go, many organisations struggle with the same fundamental issue: they want to keep everything. Whether it’s out of habit, uncertainty about legal requirements, or fear of losing something valuable, this ‘just in case’ mindset leads to bloated CRMs and mounting compliance risks.
Common examples of over-retention include:
- Contact records without clear evidence of consent
- Outdated documents and inactive user accounts
- Attachments linked to closed deals or completed projects
Wanne Pemmelaar, filerskeepers: ‘Companies struggle because they don’t know the law, or they find it overwhelming and conflicting across jurisdictions. Then there’s the practical problem of implementing rules in a complex IT environment where every system has different capabilities.’
Agnes Marti-Voltas, HubSpot: ‘The number one culprit is contact data without properly documented consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. — especially when migrating from another CRM. Other common clutter includes old communication histories, stored documents, and closed tickets from years ago.’
So, how do you know when data is no longer relevant?
Determining what to keep and what to let go of often comes down to understanding value and risk. Data that no longer serves a legitimate business purpose, is inaccurate, or lacks a lawful basis should be deleted.
One helpful step is to define what constitutes a lapsed customer and a lost lead.
A lapsed customer might be someone who has previously used your services but hasn’t engaged for a defined period of time, while a lost lead could refer to a prospect who hasn’t responded to follow-up. The appropriate timeframes will vary depending on whether your organisation operates B2B or B2C, but the principle remains the same: there comes a point at which it is no longer reasonable or necessary to retain personal dataInformation which relates to an identified or identifiable natural person..
Keep the data, lose the personal details
It’s also important to remember that the GDPR applies to personal data. For example, you may need to retain a record of sales or commercial conversations with a particular company, but you don’t need to keep the name of the specific individual you spoke to, especially not indefinitely.
Paul Griffiths, The DPO Centre:
‘It’s important to define what is a valid and active customer and at what point somebody has become a lapsed customer and therefore holds no value to you as a business anymore. If the only thing someone has done is open an email over the last five years, can you really justify them as an active contact? I’d far rather be in a position where we can’t answer a question because something was deleted a little early, than have to explain to a regulator why we’re still sitting on 25 years’ worth of information.’
Who should decide what data gets deleted or retained?
Retention policies should be shaped by a cross-functional team. Sales, marketing, and senior leaders all bring different perspectives on what data holds business value, how long it should be retained, and the risks of deletion. Involving a broad group ensures that decisions are both commercially informed and legally defensible. However, this balance isn’t always easy to achieve.
Paul Griffiths, The DPO Centre:
‘It’s about collaboration — justifying what you need, why you need it, and how long you genuinely need to keep it for.’
Wanne Pemmelaar, filerskeepers:
‘It’s not just about what the law allows, it’s about what makes sense for your business. If you want to retain data for 10 years, you need to prove that necessityThe purpose of the personal data processing activity must not be able to be achieved by a less intrusive method.. That means building a business case, showing the data’s long-term value, and being ready to explain those choices to a regulator.’
What role should CRM providers play?
While the responsibility for data retention lies with the organisation, CRM providers can help by building tools that support transparency, consent tracking, and multi-jurisdictional compliance.
As data processorsThird parties processing personal data on behalf of a data controller., vendors must also be able to act on their clients’ instructions, including deleting data when requested. At a minimum, organisations should ensure their chosen provider offers functionality to delete records on demand.
Vendors are becoming more attuned to these needs but there is still room for improvement. When choosing a CRM, businesses should prioritise platforms that offer flexible data management features, such as on-demand deletion, configurable retention settings, and clear GDPR support to ensure your system can adapt to evolving compliance requirements.
Agnes Marti-Voltas, HubSpot: ‘CRM providers should empower customers to manage compliance, not just store data. That means building in tools for transparency and consent, and providing education and resources.’
Wanne Pammelaar, filerskeeprs: ‘Retention and deletion are often afterthoughts in system design. We need platforms that can adapt to different countries’ rules and update automatically as laws evolve.’
Can AI support better CRM data retention?
AI and machine learning can help organisations efficiently manage large volumes of CRM data. These tools can flag redundant or outdated records, suggest appropriate retention periods based on data usage and context, and automate the deletion of data that no longer meets defined criteria.
However, AI is a highly regulated area with its own specific rules. When AI is used to processA series of actions or steps taken in order to achieve a particular end. personal data, organisations must:
- Conduct a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA)
- Define the AI’s purpose, scope, and decision-making boundaries
- Ensure outputs are explainable and auditable
- Maintain human oversight of automated decisions
- Consult with their DPO to implement appropriate safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the...
Wanne Pemmelaar, filerskeepers: ‘AI can bring structure to any type of information — not just identifying the data but understanding its context. That matters when different uses have different retention obligations.’
Agnes Marti-Voltas, HubSpot: ‘AI is revolutionising how we manage CRM data, reducing manual workloads and enabling more frequent compliance checks. AutomationA process or a system that operates automatically. gives organisations the tools to stay on top of GDPR without having to oversee every process manually.’
Key takeaways
CRM data retention shouldn’t be viewed as simply a compliance exercise. It is a vital part of running a secure, efficient, and customer-focused business. Without a clear, enforceable data retention policy, CRM systems can quickly become overloaded with outdated or inaccurate information. This not only undermines data quality but also increases the risk of data breaches, regulatory non-compliance, and poor customer experience. The goal is to strike a balance between legal obligations and commercial objectives, which requires collaboration across teams, clear ownership, and consistent, well-informed decision-making.
Whether addressing legacy systems, implementing automation, or refining existing processes, effective data retention requires a coordinated approach — and a willingness to let go of what no longer serves a clear purpose.
The DPO Centre has extensive experience helping organisations implement effective data retention policies that align with both GDPR obligations and business objectives. Get in touch with our team for expert support tailored to your CRM and operational needs.
Enquire
Fill in your details below and we’ll get back to you as soon as possible
