Experts at HubSpot, filerskeepers and The DPO Centre discuss the realities of CRM data retention and compliance.
Customer Relationship Management (CRM) systems lie at the beating heart of modern sales and marketing efforts, offering a platform for tracking leads, seeking new opportunities and keeping ongoing relationships in prime condition. Unfortunately, there’s no such thing as a free lunch, and CRM tools come with a flip side. Without a clear plan for managing the information that’s kept in them – or indeed, how long it stays there – they can quickly become a liability, with an increasing risk of non-compliance with data protection laws.
While it may seem harmless to some, you can’t keep the personal data of customers, prospects and partners on file forever “just in case” – no matter how secure your systems are. Every record needs a lawful reason to exist and an expiry date of sorts. Yet many organisations still struggle to reconcile the commercial urge to hold onto everything with the legal reality that some of it has to go.
Paul Griffiths, Data Protection Officer at The DPO Centre, makes their case clear:
“If the only thing someone has done is open an email over the last five years, can you really justify them as an active contact? I’d far rather be in a position where we can’t answer a question because something was deleted a little early, than have to explain to a regulator why we’re still sitting on 25 years’ worth of information.”
It’s a dilemma that comes up time and time again. When Griffiths sat down with Wanne Pemmelaar, CEO and Founder of filerskeepers, and Agnes Marti-Voltas, Customer Success Manager at HubSpot, they reached a shared conclusion: the organisations getting this right are the ones that stop treating data retention as an afterthought and start treating it as a strategic discipline.
All three agree that a healthy CRM isn’t one bloated with old records. Instead, it’s an intricate balancing act of keeping what’s relevant and letting go of what’s not. As Marti-Voltas explains:
“A healthy CRM is not just about what’s stored; it’s about relevance, accuracy and transparency. You need to track legal basis, audit access, and regularly cleanse the system to stay GDPR compliant.”
For Pemmelaar, this is equally a question of business growth:
“Data quality is essential in order to grow your business and maintain healthy relationships with your customers.”
Knowing exactly what’s in your system, why it’s there, and whether it still serves a purpose is key. Anything else is dead weight.
So why does it sometimes seem so difficult for businesses to hit delete on dead data? Pemmelaar believes the problem is twofold:
“Companies struggle because they don’t know the law, or they find it overwhelming and conflicting across jurisdictions. Then there’s the practical problem of implementing rules in a complex IT environment where every system has different capabilities.”
On the other hand, Marti-Voltas has seen another recurring cause:
“The number one culprit is contact data stored without properly documented consent – especially when migrating from another CRM. Other common clutter includes old communication histories, stored documents, and closed tickets from years ago.”
One way to cut through the hesitation, Griffiths suggests, is to define what a “lapsed customer” or “lost lead” means in your business:
“It’s important to define what is a valid and active customer and at what point somebody has become a lapsed customer and therefore holds no value to you as a business anymore.”
In many cases, the business record itself can be kept – for example, that a sale happened – without retaining the personal identifiers. Ultimately, however, the decision of what to delete and when shouldn’t fall to one person or one department. As Griffiths sees it, “It’s about collaboration – justifying what you need, why you need it, and how long you genuinely need to keep it for.”
Pemmelaar supports this view, adding that extended retention must be backed by a solid rationale:
“It’s not just about what the law allows, it’s about what makes sense for your business. If you want to retain data for 10 years, you need to prove that necessity. That means building a business case, showing the data’s long-term value, and being ready to explain those choices to a regulator.”
Although responsibility ultimately rests with the business, CRM providers can make compliance far easier. Marti-Voltas believes more vendors should step up:
“CRM providers should empower customers to manage compliance, not just store data. That means building in tools for transparency and consent, and providing education and resources.”
Pemmelaar points out that retention and deletion are still too often overlooked in system design:
“We need platforms that can adapt to different countries’ rules and update automatically as laws evolve.”
There’s also the rise of artificial intelligence to consider. Used well in data management, it can identify patterns humans might miss, flag outdated records, and even handle deletions automatically. Pemmelaar sees significant opportunity:
“AI can bring structure to any type of information – not just identifying the data but understanding its context. That matters when different uses have different retention obligations.”
Marti-Voltas agrees that automation is already having an impact:
“AI is revolutionising how we manage CRM data, reducing manual workloads and enabling more frequent compliance checks. Automation gives organisations the tools to stay on top of GDPR without having to oversee every process manually.”
All three experts, however, are quick to point out that AI is not a foolproof solution; using it to process personal data carries its own responsibilities, from impact assessments to explainability and human oversight.
The lesson? CRM data retention isn’t just a compliance chore, but part of running a clean, efficient, trustworthy business. Success means collaboration, the right technology, and the confidence to part with information that no longer serves you. And sometimes, as Paul Griffiths reminds us, the smartest decision you can make – for your business and your compliance record – is to press delete.