After my previous GDPR Subject Access Requests (SARs) blog, you should now be familiar with the new data rights afforded to EU Data Subjects under GDPR and how companies should perform their data inventory and map their data lifecycle. Another step companies may be unaware of is revising their data retention policies in light of GDPR. Important data retention requirements appear in multiple sections of the GDPR, including:
- Storing the minimum: GDPR Recital 39, which states that “...the period for which the personal data are stored is limited to a strict minimum...In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review...”
- Process and store only what you need for purposes you clearly communicated during collection: GDPR’s data minimization principle says that data processing should only use as much data as is required to successfully accomplish a given task.
- Keep personal data no longer than necessary: GDPR’s storage limitation principle requires personal data to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
How long and why are you keeping this data?
In order to comply with GDPR Recital 39, GDPR’s data minimization principle, and GDPR’s storage limitation principle, Data Controllers should actively review their data retention policies to not only understand how long they are keeping data for, but to justify why they are keeping the data to not only auditors, management, or regulatory enforcement, but to the Data Subjects themselves. Data has been a liability for a while now, and GDPR creates no new exception. Today it is a liability to retain data that is not essential for the purposes for which the data was collected. Failure to comply with data minimization principles may result in GDPR-related fines.
What is the balance between data privacy rights versus the needs of the business?
Any processing of personal data should be lawful and fair, yet determining for how long a company should keep data is not cut and dried. A company cannot simply say five days, five months, or five years. They must roll up their sleeves and understand their industry, the regulations to which they are subject to, and, realistically, come to terms with why they to retain personal data. “Longer” is no longer better. Rather, a business risk decision must be made that weighs the benefits of the business processes that use the data versus the liabilities and obligations related to GDPR.
Personal data ages fast.
Companies that are currently saving as much data as their archives will allow, in case the data becomes useful, valuable, or necessary in the future, should be taking another look. If your company is not keeping the personal data for legal, contractual, regulatory, research, historical, or audit purposes, the data is probably not needed for longer than one year.
Do you really need all of those backups?
When companies consider how long personal data needs to be kept, whether in their live environments or in backups, they should ask themselves the following questions:
- Are we under any regulatory requirements, such as SEC (U.S. Securities and Exchange Commission), HIPAA (U.S. Health Insurance Portability and Accountability Act), or ESMA (European Securities and Markets Authority), requiring a specified period of time for data retention?
- Do we have a specific legal or contractual reason for keeping the data?
- Was the data collected for specified, explicit, and legitimate purposes?
- Are we only keeping data that is adequate, relevant, and necessary to perform the service?
- Is the data being kept longer than is necessary, for example, longer than the length of the contract?
- Is the data processed in a manner that ensures appropriate security?
If you answered “no” to any of the above, you will need to have a clear rationale documented as to why the data is being retained. To keep this data, your company must agree that the value of your processing activities outweighs the liability of retaining and securing the data.
The need to store data long-term in data archives or backups varies across different types of companies and industries. You must align your backup retention with the requirements you set.
The GDPR does allow for longer data retention in two exceptions:
- for archiving purposes in the public interest; and
- for scientific or historical research purposes or statistical purposes.
If retention is for these purposes, it must still be accompanied by “appropriate technical and organizational measures” that safeguard the Data Subjects’ rights and freedoms. Pseudonymization is one such safeguard.
A one-size retention period may not fit all.
Different types of EU Subject Personal Data may require varying retention periods. The nature, scope, and purpose of the data processing an organization performed needs to be documented. Data must also be stored appropriately. For example, credit card data has to be strictly processed through secure methods, whereas customer preferences or date fields may be handled through less strict controls. Generally, the rule is that it is best to store the minimum amount of data possible in order to perform specified tasks or services under the contract.
If you haven’t done so already, start by defining which data will present the greatest risk to the Data Subject if kept beyond its processing shelf life. This will be of greatest risk to your organization should it be kept longer than necessary. Here is where your organization’s data mapping, classification, and inventory efforts will pay off, as you will have already assessed the risk for all of your data as part of that work.
Configure customized retention in your backup solution.
Once you have determined the minimum amount of time your business processes require the data, consider how to ensure your Processors and backup vendors are able to meet your customized retention policies.
You can use Own to find where personal data hidden throughout your backup archives and which attachments it may also be hidden within. Whether you determine that you need to keep data for three days, three months, or three years, Own allows your admins the flexibility to implement a customized retention schedule.
Own not only allows its customers, Data Controllers under GDPR, to meet their complex, customized retention periods, we are also data partners with them in fulfilling their GDPR obligations. Own helps its Controller customers meet Data Subject rights, such as Right to Rectification, Right to Erasure, and Right to Data Portability, as it applies to personal data within backups and archives.
Register for the GDPR Right to be Forgotten - Compliance for your Backups webinar to learn more about defining your customized data retention period.
Visit our website to find out more about Own’s GDPR data protection solution and find answers to some of the most commonly asked questions that we’ve received at our GDPR webpage.