Conducts retention impact assessments for new data processing activities to determine GDPR-compliant retention periods via regulatory scanning, proportionality review, and purpose-based analysis.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
A Retention Impact Assessment (RIA) is a structured evaluation conducted before commencing new processing activities (or significantly changing existing ones) to determine the appropriate retention period for personal data. The RIA ensures that retention periods are set proactively — by design — rather than retroactively after data has accumulated without defined limits. Under GDPR Article 25, ...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
A Retention Impact Assessment (RIA) is a structured evaluation conducted before commencing new processing activities (or significantly changing existing ones) to determine the appropriate retention period for personal data. The RIA ensures that retention periods are set proactively — by design — rather than retroactively after data has accumulated without defined limits. Under GDPR Article 25, data protection by design requires that storage limitation is considered at the design stage of any processing activity. This skill provides the assessment methodology, regulatory scanning framework, proportionality analysis, and documentation template for determining and justifying retention periods.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
The controller shall implement appropriate technical and organisational measures designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing. This includes proactive determination of retention periods before processing begins.
Where a Data Protection Impact Assessment is required, it must include the envisaged processing operations and the purposes, including where applicable the legitimate interest pursued (Art. 35(7)(a)), and an assessment of the necessity and proportionality of the processing operations (Art. 35(7)(b)). Retention period determination is a core element of the necessity and proportionality assessment.
Data subjects must be informed of the period for which personal data will be stored, or the criteria used to determine that period. The RIA produces this information.
| Trigger | Description |
|---|---|
| New processing activity | Any new processing activity involving personal data that is not covered by an existing retention schedule entry |
| New system/application | Deployment of a new system, application, or database that will store personal data |
| Significant change to existing processing | Change in purpose, scope, data categories, or technology that materially affects the retention profile |
| New legal/regulatory requirement | New legislation or regulatory guidance that introduces or modifies retention requirements |
| Post-breach recommendation | Following a data breach where excessive retention was identified as a contributing factor |
| DPIA finding | Where a DPIA identifies retention period determination as an outstanding action |
| Vendor/processor change | Onboarding a new processor or service provider that will store personal data on behalf of the organization |
RETENTION IMPACT ASSESSMENT — Orion Data Vault Corp
-----------------------------------------------------
Assessment Reference: RIA-2026-0019
Date: 2026-03-14
Assessor: [Name, Title]
DPO Review: [Name]
SECTION 1: PROCESSING ACTIVITY
- Name of processing activity: [Description]
- Business owner: [Name, Department]
- Purpose(s) of processing: [List all purposes]
- Legal basis for processing: [Art. 6(1)(a)-(f)]
- Data subjects: [Categories — e.g., customers, employees, job applicants]
- Data categories: [List all personal data elements]
- Special category data: [Yes/No — if yes, specify Art. 9 condition]
- Estimated data volume: [Records per year / total expected volume]
- Data sources: [Collected directly from data subject / obtained from third party]
- Data recipients: [Internal departments, processors, third parties]
- International transfers: [Yes/No — if yes, specify destination countries]
Systematically identify all legal and regulatory requirements that mandate minimum retention:
| Regulatory Domain | Applicable? | Statute/Regulation | Minimum Period | Notes |
|---|---|---|---|---|
| Tax and fiscal | □ | HMRC requirements; TMA 1970 | 6 years | Applies to financial transaction data |
| Company law | □ | Companies Act 2006 | 6 years | Applies to accounting records |
| Employment law | □ | Employment Rights Act 1996; Working Time Regulations 1998 | Varies (2-6 years) | Applies to employee data |
| Health and safety | □ | COSHH 2002; Ionising Radiations Regs 2017 | Up to 40 years | Applies to health monitoring records |
| Financial services | □ | MiFID II; FCA Handbook | 5-7 years | Applies to investment client records |
| AML/CTF | □ | MLR 2017; AMLD5 | 5 years | Applies to CDD and transaction monitoring |
| Sector-specific | □ | [Identify applicable sector regulations] | Varies | Varies |
| Contractual | □ | Contract terms with clients/partners | Per contract | Review contract clauses |
| Limitation periods | □ | Limitation Act 1980 | 3-12 years | Contract (6y), tort (3y), deed (12y) |
| Data protection | □ | GDPR; UK DPA 2018 | Storage limitation — no longer than necessary | Default principle |
| Jurisdiction | Applicable Law | Retention Requirement | Conflict with Primary? |
|---|---|---|---|
| UK | [Applicable UK statutes] | [Period] | N/A (primary jurisdiction) |
| EU Member State(s) | [Applicable EU/MS law] | [Period] | [Yes/No — resolve by applying longest] |
| US (if applicable) | [SOX, CCPA, state law] | [Period] | [Yes/No — resolve] |
| Other | [Specify] | [Period] | [Yes/No — resolve] |
For each processing purpose, determine the retention period independently:
PURPOSE-BASED RETENTION ANALYSIS
---------------------------------
Purpose 1: [Primary processing purpose]
- Legal basis: [Art. 6(1)(x)]
- Data categories needed: [List]
- Duration of purpose: [How long does this purpose persist?]
- Retention period for this purpose: [Duration]
- Justification: [Why this period is necessary and proportionate]
Purpose 2: [Secondary processing purpose — if any]
- Legal basis: [Art. 6(1)(x)]
- Data categories needed: [List — should be subset of or equal to Purpose 1]
- Duration of purpose: [How long does this purpose persist?]
- Retention period for this purpose: [Duration]
- Justification: [Why this period is necessary and proportionate]
Statutory Override (if applicable):
- Statute: [Citation]
- Mandatory minimum: [Period]
- This overrides Purpose [X] period: [Yes/No]
RESULTING RETENTION PERIOD: [The longest justified period across all purposes
and statutory requirements, but no longer than the maximum necessary period]
The proportionality assessment ensures the retention period is no longer than necessary:
PROPORTIONALITY ASSESSMENT
----------------------------
1. NECESSITY
- Is the proposed retention period the minimum necessary to achieve
the stated purpose(s)? [Yes/No — justify]
- Could the purpose be achieved with a shorter retention period?
[Yes/No — justify]
- Could the purpose be achieved with anonymized or aggregated data
after a shorter period of identifiable retention? [Yes/No — justify]
2. DATA MINIMIZATION OVER TIME
- Can some data elements be deleted or anonymized before the full
retention period expires? [Yes/No — if yes, specify staged deletion]
- Example: Full data retained for 12 months for service delivery;
anonymized to aggregate statistics at 12 months; aggregates retained
for 3 years for trend analysis.
3. ACCESS RESTRICTION OVER TIME
- Should access be progressively restricted as the data ages?
- Example: Active access for first 12 months; restricted to compliance
team only for months 13-72; automated deletion at month 72.
4. RISK TO DATA SUBJECTS
- What is the risk to data subjects from the proposed retention?
[Low/Medium/High — justify]
- Does longer retention increase breach impact? [Yes/No]
- Are there specific data subject groups requiring heightened protection?
(e.g., children, vulnerable individuals)
5. ALTERNATIVES TO RETENTION
- Has anonymization been considered as an alternative? [Yes/No — outcome]
- Has pseudonymization been considered to reduce risk during retention?
[Yes/No — outcome]
- Has data aggregation been considered? [Yes/No — outcome]
PROPORTIONALITY CONCLUSION:
The proposed retention period of [X] is / is not proportionate because:
[Detailed justification — 2-3 paragraphs]
RETENTION PERIOD RECOMMENDATION
---------------------------------
Data Category: [Description]
Processing Activity: [Name]
RECOMMENDED RETENTION STRUCTURE:
┌──────────────────────┬─────────────────────┬──────────────────────────────┐
│ Phase │ Duration │ Data State │
├──────────────────────┼─────────────────────┼──────────────────────────────┤
│ Active processing │ [Duration] │ Full data, full access │
│ Passive retention │ [Duration] │ Full data, restricted access │
│ Reduced retention │ [Duration] │ Minimized data, restricted │
│ Anonymized retention │ [Duration/indefinite]│ Anonymized, no restrictions │
│ Deletion │ At end of above │ Permanent deletion │
└──────────────────────┴─────────────────────┴──────────────────────────────┘
Total identifiable retention period: [Sum of active + passive + reduced]
Retention trigger: [Event that starts the retention clock]
Deletion method: [Automated / Manual / Anonymization]
JUSTIFICATION SUMMARY:
[Concise summary of legal basis, statutory requirements, purpose analysis,
and proportionality conclusion supporting this recommendation]
APPROVED BY:
- Business Owner: [Name] — Date: [YYYY-MM-DD]
- DPO: [Name] — Date: [YYYY-MM-DD]
- Legal (if statutory retention involved): [Name] — Date: [YYYY-MM-DD]
After the RIA is approved, the following implementation steps must be completed:
| Step | Action | Responsible | Deadline |
|---|---|---|---|
| 1 | Add data category to retention schedule with approved period | DPO | Within 14 days of approval |
| 2 | Configure automated deletion rules in relevant systems | IT | Before processing commences |
| 3 | Update Records of Processing Activities (ROPA) with retention period | DPO | Within 14 days of approval |
| 4 | Update privacy notice to include retention period information | DPO / Marketing | Before processing commences |
| 5 | Configure access restrictions per phased retention structure | IT / Security | Before processing commences |
| 6 | Update service provider/processor agreements if applicable | Legal / Procurement | Before processing commences |
| 7 | Schedule first retention period review | DPO | Set for 12 months after processing starts |
| 8 | Brief data owners and relevant staff on retention requirements | DPO / Training | Before processing commences |
| Trigger | Action |
|---|---|
| Annual review date | Reassess all RIA assumptions — purpose still valid, regulatory landscape unchanged |
| Legislative change | Reassess statutory retention requirements |
| Processing change | Full RIA update if purpose, scope, or data categories change materially |
| Breach involving this data | Assess whether retention period contributed to breach scope; consider reduction |
| Data subject complaint | Review retention period proportionality in light of complaint |
| Technology change | Assess whether new technology enables shorter retention or better anonymization |
Orion Data Vault Corp maintains a register of all completed Retention Impact Assessments:
RIA REGISTER — Orion Data Vault Corp (Extract)
┌──────────────┬──────────────────────────┬────────────┬───────────────┬──────────────┬─────────────┐
│ RIA Ref │ Processing Activity │ Date │ Retention │ Status │ Next Review │
│ │ │ Completed │ Period │ │ │
├──────────────┼──────────────────────────┼────────────┼───────────────┼──────────────┼─────────────┤
│ RIA-2025-012 │ Customer loyalty program │ 2025-06-15 │ Membership + │ Active │ 2026-06-15 │
│ │ │ │ 2 years │ │ │
├──────────────┼──────────────────────────┼────────────┼───────────────┼──────────────┼─────────────┤
│ RIA-2025-018 │ Employee wellbeing survey │ 2025-09-01 │ 12 months │ Active │ 2026-09-01 │
│ │ │ │ (anonymize │ │ │
│ │ │ │ at 3 months) │ │ │
├──────────────┼──────────────────────────┼────────────┼───────────────┼──────────────┼─────────────┤
│ RIA-2026-019 │ Vendor loyalty programme │ 2026-03-14 │ 24 months │ In progress │ 2028-03-14 │
│ │ analytics │ │ (review at │ │ │
│ │ │ │ 12 months) │ │ │
└──────────────┴──────────────────────────┴────────────┴───────────────┴──────────────┴─────────────┘