📚 Free GDPR guide with every booking — Book now
Genroks
Back to blog

That 'Just in Case' Email Can Cost You €20 Million

2026-02-24 · Blazo Sokic
That 'Just in Case' Email Can Cost You €20 Million

The trap most companies fall into

Client leaves. Contract ends. Account closed.

But you keep the data. Not because you are required to. Not because the law says so. Because deleting feels risky. What if you need it later? What if they come back? What if it turns out to be useful?

This reasoning feels sensible. Under GDPR, it is a legal problem.

What GDPR actually says about retention

Under GDPR, you are allowed to keep personal data only for a specific, documented purpose and for a defined period of time. Once that purpose is gone, your legal basis for processing is gone with it.

There is no "just in case" clause in the regulation. There is no provision that allows indefinite storage because something might be useful later.

If you cannot clearly explain:

  • why you still hold that data
  • what the legal basis is for holding it
  • how long you are permitted to keep it

Then you are not being cautious. You are being exposed.

When it becomes a problem

Regulators do not wait for a deliberate breach to act. A routine audit, a subject access request, or a data incident can trigger scrutiny of your retention practices.

When that happens, the question is simple: "Why did you still have it?"

"It might have been useful" is not a compliant answer. "We forgot to delete it" is not a compliant answer. "The client might come back" is not a compliant answer.

The only acceptable answer is a documented retention schedule with a clear legal basis for every category of data you hold.

What a compliant retention policy looks like

A proper data retention policy does not need to be complicated. It needs to be:

  • Documented. Written down, not just understood internally.
  • Specific. Different data categories have different retention periods.
  • Justified. Each period tied to a legal basis: contract, legal obligation, legitimate interest, or consent.
  • Enforced. Data is actually deleted when the period expires, not just scheduled for deletion.

Common categories to cover: client records, prospect data, employee records, supplier contacts, and marketing lists.

The actual cost of getting this wrong

A proper retention policy costs a few hours of work to build and a recurring process to maintain.

A GDPR fine for unlawful data retention can reach €20 million or 4% of global annual turnover, whichever is higher. That figure does not include the cost of an investigation, legal fees, or the reputational damage that follows a public ruling.

A practical checklist

  • Map every category of personal data your company holds
  • Document the legal basis and retention period for each category
  • Set up a deletion or anonymisation process triggered by period expiry
  • Review the retention schedule at least once per year
  • Train anyone who handles personal data on why this matters

The short version

Keep only what you can justify. For as long as you can justify it. Document both.

The cost of doing this properly is small. The cost of not doing it is not.

Back to blogGet your free ISO resource