When the CNIL investigated KASPR, they found that the company had set storage time for contact data for five years. But every single job change reset the clock. In practice, this meant that data about people who were active in the job market was never deleted.
GDPR Article 5(1)(e) requires that personal data not be stored for longer than necessary for the purpose. Prospecting and sales have a concrete purpose – to make contact. Once contact has been made, or when the person does not respond, the purpose has been fulfilled.
Most B2B businesses have prospect lists and contact databases where old contacts lie untouched for years. CRM systems gather dust. Exported Excel lists float around in email inboxes. No one has defined how long the data should be kept—because no one has thought about it.
Practical point: Log into the CRM and check when the oldest contact was last updated. Do you have contacts you've never engaged with, or who haven't responded in two years? Define a retention period for prospecting lists—and set a reminder to clean them up.
Inspired by: CNIL