Data retention and deletion for sourced data

Sourced data does not live forever. Licences expire, the GDPR limits storage, and holding data too long is both risk and cost. This guide covers retention and deletion for externally sourced data.

Two forces set retention

For external data, retention is driven by two things: the licence, which may permit use only for a period, and data-protection law, which requires personal data not to be kept longer than necessary. Both must be respected.

Licence-driven limits

Many data licences are time-bound or restrict how long derivatives may be kept after expiry. Tracking these terms per dataset is essential to avoid using data you no longer have rights to.

GDPR storage limitation

For personal data, the storage-limitation principle requires defined retention periods tied to the purpose, after which data should be deleted or anonymised. Indefinite retention is not lawful.

Building it into supply

Good practice attaches retention rules to each dataset as metadata, automates review and deletion, and keeps evidence of disposal. Anonymisation can be an alternative to deletion where data must be retained for analytics.

Why it matters commercially

Beyond compliance, disciplined retention reduces storage cost and breach exposure: data you do not hold cannot be breached or misused.

In a managed model

A managed partner can track licence terms and retention obligations per dataset and build deletion or anonymisation into the lifecycle.

Sources & further reading

• EUR-Lex: Regulation (EU) 2016/679 (GDPR), storage limitation.
• National data protection authorities: retention guidance.
• DAMA-DMBOK: data lifecycle management.
• Internal practice: DataSupplier lifecycle controls.