Designs GDPR-compliant data retention schedules mapping data categories to retention periods with legal basis justifications, regulatory minimums, and automated review triggers. For retention policy, storage limitation, data lifecycle queries.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeThis skill uses the workspace's default tool permissions.
A data retention schedule is the foundational governance document that specifies how long each category of personal data is retained, the legal basis for that retention period, and the triggers for review or deletion. GDPR Article 5(1)(e) establishes the storage limitation principle: personal data shall be kept in a form which permits identification of data subjects for no longer than is necess...
Conducts multi-round deep research on GitHub repos via API and web searches, generating markdown reports with executive summaries, timelines, metrics, and Mermaid diagrams.
Dynamically discovers and combines enabled skills into cohesive, unexpected delightful experiences like interactive HTML or themed artifacts. Activates on 'surprise me', inspiration, or boredom cues.
Generates images from structured JSON prompts via Python script execution. Supports reference images and aspect ratios for characters, scenes, products, visuals.
A data retention schedule is the foundational governance document that specifies how long each category of personal data is retained, the legal basis for that retention period, and the triggers for review or deletion. GDPR Article 5(1)(e) establishes the storage limitation principle: personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. This skill provides the complete framework for building, maintaining, and enforcing a category-based retention schedule.
Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Article 89(1), subject to implementation of appropriate technical and organisational measures.
Personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.
The controller shall provide the data subject with the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
Where possible, the envisaged time limits for erasure of the different categories of data must be recorded in the Records of Processing Activities.
Identify and categorize all personal data processed by the organization:
| Category ID | Data Category | Example Data Elements | Processing Purpose | Legal Basis (Art. 6) |
|---|---|---|---|---|
| CAT-001 | Employee HR Records | Name, address, NI number, salary, performance reviews | Employment administration | Art. 6(1)(b) Contract + Art. 6(1)(c) Legal obligation |
| CAT-002 | Customer Account Data | Name, email, phone, address, account preferences | Service delivery | Art. 6(1)(b) Contract |
| CAT-003 | Customer Transaction Records | Purchase history, payment details, invoices | Contract performance and legal obligation | Art. 6(1)(b) Contract + Art. 6(1)(c) Legal obligation |
| CAT-004 | Marketing Contact Data | Name, email, consent records, campaign interactions | Direct marketing | Art. 6(1)(a) Consent |
| CAT-005 | Website Analytics | IP address, device data, browsing behaviour, cookies | Website optimization | Art. 6(1)(f) Legitimate interest |
| CAT-006 | Job Applicant Data | CV, cover letter, interview notes, references | Recruitment | Art. 6(1)(b) Pre-contractual steps |
| CAT-007 | CCTV Footage | Video recordings of premises | Security and safety | Art. 6(1)(f) Legitimate interest |
| CAT-008 | Supplier Contact Data | Name, email, phone, company, contract terms | Vendor management | Art. 6(1)(b) Contract |
| CAT-009 | Customer Support Records | Tickets, correspondence, complaint records | Service delivery and quality | Art. 6(1)(b) Contract + Art. 6(1)(f) Legitimate interest |
| CAT-010 | Financial and Tax Records | Accounts, tax filings, audit reports, bank statements | Legal compliance | Art. 6(1)(c) Legal obligation |
For each data category, determine the retention period based on:
The following is the retention schedule for Orion Data Vault Corp:
| Category ID | Data Category | Retention Period | Legal Basis for Retention | Retention Trigger | Review Frequency |
|---|---|---|---|---|---|
| CAT-001 | Employee HR Records | Duration of employment + 6 years | Limitation Act 1980 s.5 (contract); Employment Rights Act 1996 | Employment termination date | Annual |
| CAT-002 | Customer Account Data | Duration of account + 2 years | Contractual necessity; limitation period buffer | Account closure date | Annual |
| CAT-003 | Customer Transaction Records | 6 years from transaction date | HMRC record-keeping; Companies Act 2006 s.386; Limitation Act 1980 | Transaction completion date | Annual |
| CAT-004 | Marketing Contact Data | Until consent withdrawn + 30 days processing | Consent-based; deletion upon withdrawal | Consent withdrawal date or 24 months since last engagement | Biannual |
| CAT-005 | Website Analytics | 26 months from collection | ICO guidance; CNIL recommendation on analytics cookies | Data collection date | Annual |
| CAT-006 | Job Applicant Data | 6 months from recruitment decision (unsuccessful); duration of employment + 6 years (successful) | ICO Employment Practices Code; limitation period for discrimination claims (6 months from decision) | Recruitment decision date | After each recruitment cycle |
| CAT-007 | CCTV Footage | 30 days from recording (standard); up to 6 months if incident flagged | ICO CCTV Code of Practice; proportionality principle | Recording date | Monthly |
| CAT-008 | Supplier Contact Data | Duration of contract + 6 years | Limitation Act 1980; contractual necessity | Contract termination date | Annual |
| CAT-009 | Customer Support Records | 3 years from case closure | Legitimate interest; limitation period for service-related claims | Case closure date | Annual |
| CAT-010 | Financial and Tax Records | 6 years from end of financial year (standard); 20 years (deeds and title documents) | HMRC requirements; Companies Act 2006 s.388; Limitation Act 1980 s.8 | End of relevant financial year | Annual |
For each retention period exceeding the minimum statutory requirement, document the justification:
RETENTION PERIOD JUSTIFICATION — Orion Data Vault Corp
------------------------------------------------------
Category: [CAT-XXX — Category Name]
Proposed Period: [X years from trigger event]
Statutory Minimum: [X years, cite statute]
Proposed Excess: [X additional months/years]
Justification for Excess Period:
1. [Specific business need — e.g., contractual warranty period extends 12 months beyond statutory minimum]
2. [Risk assessment — e.g., historical claims data shows 3% of claims filed in year 5-6]
3. [Regulatory expectation — e.g., FCA expects retention beyond statutory minimum for conduct risk purposes]
Proportionality Assessment:
- Volume of data subjects affected: [number]
- Sensitivity of data: [low/medium/high]
- Risk to data subjects from extended retention: [assessment]
- Mitigating measures: [e.g., access restriction, pseudonymization after statutory minimum]
Approved by: [DPO Name]
Date: [YYYY-MM-DD]
Next Review: [YYYY-MM-DD]
The following events trigger an immediate review of the applicable retention period:
| Review Type | Frequency | Scope | Responsible |
|---|---|---|---|
| Category-level review | As per schedule (see retention matrix) | Individual data category retention period, legal basis, and justification | Data Owner + DPO |
| Full schedule review | Annual (Q1) | Entire retention schedule, all categories, legislative scan | DPO + Legal + IT |
| Regulatory alignment check | Biannual | Cross-reference retention periods against current statutory requirements | Legal Counsel |
| Technical compliance audit | Annual (Q3) | Verify that automated deletion and archiving systems enforce scheduled periods | IT + DPO |
| Requirement | Statutory Period | Source |
|---|---|---|
| Tax records (UK) | 6 years from end of accounting period | HMRC; TMA 1970 s.34 |
| Company accounting records | 6 years from end of financial year | Companies Act 2006 s.388 |
| Employment records (general) | 6 years from termination | Limitation Act 1980 s.5 |
| Payroll records | 6 years from end of tax year | Income Tax (PAYE) Regulations 2003 |
| Health and safety records | 40 years from last entry | COSHH Regulations 2002; Ionising Radiations Regulations 2017 |
| Anti-money laundering records | 5 years from end of business relationship | Money Laundering Regulations 2017 reg.40 |
| Consumer contracts | 6 years from breach | Limitation Act 1980 s.5 |
| Personal injury claims | 3 years from date of knowledge | Limitation Act 1980 s.11 |
| Discrimination claims (employment) | 6 months from act complained of | Equality Act 2010 s.123 |
| CCTV footage | 30 days (ICO guidance) | ICO CCTV Code of Practice |
| Pension records | 6 years from end of scheme year (minimum); 12 years recommended | Pensions Act 2004; Limitation Act 1980 |