Audit Analytics vs. Data Hoarding: Why Clinging to Personal Data for 7 Years Could Cost You

Introduction
In an era where data is the new oil, internal audit functions are increasingly leveraging analytics to derive insights, detect anomalies, and assess controls with unprecedented precision. However, this data-driven audit revolution has created a parallel challenge: managing the retention of personal data in compliance with data protection laws.

Many audit teams continue to default to a seven-year data retention period, a legacy practice often justified by vague notions of legal necessity or audit convenience. But under modern data protection frameworks like the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018, this blanket approach may not only be outdated—it could be unlawful.

The Regulatory Landscape
Both GDPR and its UK counterpart are clear on one principle: personal data must not be kept for longer than is necessary for the purposes for which it was collected (Article 5(1)(e) GDPR). There is no statutory seven-year rule for retaining personal data used in audit analytics, except where specific legal or regulatory requirements apply (e.g., tax or financial reporting obligations).

In many cases, audit data sets contain sensitive information about employees, customers, or suppliers. Holding onto such data without a clear and documented justification exposes organisations to significant risks, including regulatory scrutiny, reputational damage, and potential fines.

Audit Analytics: Precision Tools, Not Data Vaults
Audit analytics thrive on relevance, not volume. The utility of data diminishes over time, particularly in dynamic operational environments. Old data sets may skew risk assessments, dilute anomaly detection, or worse, provide false assurance.

Smart audit teams understand that quality trumps quantity. They implement data minimization practices and develop analytics models that use only the data necessary to fulfil the audit objective. Retention policies should follow suit.

Consider this.  When was the last time that you were asked to provide some data that was used in an audit? And how long after the issuance of the final report was the request made?

Without knowing you or your organisation, I would suggest that even if you have been asked for the data used in an audit after the issuance of the final report, the request for this data would have been made within a few weeks of the report issue – not years.

So what can we do to prevent this?
To align with data protection laws, internal audit functions must:

1. Define clear retention periods based on audit objectives, legal requirements, and risk appetite. I always apply my “Daily Mail” headline test – if it became public knowledge, how long could we justify holding “that” piece of data for?
2. Conduct data mapping to identify personal data elements within audit datasets. How is your analytics structured? Where are the team able to save data to? Are they able to save data to their laptop “C” drives?
3. Establish purging mechanisms to securely delete personal data once it’s no longer needed. Its all very well having an approach, but who in the team is going to delete the data? – If you select the auditor who did the audit, what happens if they leave? When are they going to do it? Are they allocated time in the audit plan for this activity?
4. Document justifications for data retention, particularly where data is held beyond the norm. There will always be exceptions, like investigations, so factor these in.
5. Engage with DPOs and legal teams to ensure audit retention policies reflect broader data governance strategies. But ask for justification if you are told 7 years!  Not everyone in these teams understands what Internal audit does and the type of data that we hold!  

Conclusion: Let Go of the 7-Year Myth
The idea that audit teams must retain all data for seven years is a myth not grounded in law. In fact, holding onto personal data without clear justification is a violation of fundamental data protection principles. Audit functions must modernise their data retention policies to align with the principles of necessity, proportionality, and accountability.

It’s time to stop hoarding and start curating. The future of audit analytics depends not just on how well we analyse data, but on how responsibly we retain it.