General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is the European Union law that governs how organizations collect, process, store, and dispose of the personal data of individuals in the EU, granting those individuals rights over their data.
The General Data Protection Regulation (GDPR) is a comprehensive European Union law that sets rules for handling the personal data of people in the EU, regardless of where the processing organization is located. It is built on principles such as lawful basis for processing, purpose limitation, data minimization, accuracy, and—critically for recordkeeping—storage limitation, which requires that personal data be kept no longer than necessary for the purpose it was collected.
For records managers, GDPR turns retention into a compliance obligation rather than a convenience. Holding personal data past its justified need can itself be a violation, so retention schedules and timely, defensible disposition become legal safeguards. It also grants individuals rights, including access, correction, and erasure (“right to be forgotten”), which a sound file plan and accurate metadata make answerable.
For example, a U.S. organization serving EU customers must be able to locate every record containing an individual’s data, justify why it still exists, and delete it on a valid request—distinct from a litigation hold, which instead pauses disposition to preserve evidence.