Under the GDPR (General Data Protection Regulation), organisations must be vigilant about how long they retain personal information. If you keep sensitive data for too long – even if it’s being held securely and not being misused – you may still be violating the Regulation’s requirements.
That might sound overly strict, but there’s a good reason for it.
Why is data retention important?
If you cast your mind back to the panic that preceded the GDPR taking effect, you’ll have a perfectly good understanding about why data retention periods are essential. Organisations that we’d not interacted with in years came out of the woodwork to ask for our consent to keep hold of our data.
It showed just often our records sit on organisation’s databases long after we’ve finished using their services. The organisation doesn’t want to get rid of the information, because it costs practically nothing to store customer details, but keeping it unnecessarily exposes us to security threats.
It only takes one piece of bad luck for an organisation’s systems to be breached, whether it’s Whether it’s a cyber attack or an internal error.
So, to limit the damage that a breach can cause, regulators mandated that EU-based organisations must retain personal data only if there’s a legitimate reason for keeping it.
What does GDPR say about data retention?
Despite the apparent strictness of its data retention rules, the GDPR offers a great deal of leniency for organisations, providing no set timeframes for how long data can be retained.
They can instead set their own deadlines based on whatever grounds they see fit. The only requirement is that the organisation must document and justify why it has set the timeframe it has.
The decision should be based on two key factors: the purpose for processing the data, and any legal or regulatory requirements for retaining it.
Data should not be held for longer than is needed and shouldn’t be kept ‘just in case’ you have a need for it in the future.
As long as one of your purposes still applies, you can continue to store the data.
Legal and regulatory requirements should also be acknowledged, because you may need to keep hold of data for reasons such as tax and audits, or to comply with defined standards and guidelines.
What to do with data past the retention period
You have two options when the deadline for data retention expires: delete it or anonymise it.
If you opt to delete the data, you must ensure all copies have been discarded. In order to do this, you will need find out where the data is stored. Is it a digital file, hard copy or both?
It’s easy to erase hard copy data, but digital data often leaves a trace and copies may reside in forgotten file servers and databases.
To comply with the Regulation, you will need to put the data ‘beyond use’. All copies of the data should be removed from live and back-up systems.
If that data is anonymised, however, the Regulation allows it to be kept for as long as an organisation wants.
This means that the information cannot be connected to an identifiable data subject. If the data can be used alongside other information the organisation holds to clearly identify an individual, then it is not adequately anonymised.
Personal data can be retained for longer periods without being anonymised if the data is being kept for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
What is a data retention policy?
A data retention policy is a set of guidelines that helps organisations keep track of how long information must be kept and how to dispose of the information when it’s no longer needed.
The policy should also outline the purpose for processing the personal data. This ensures that you have documented proof of your justification for your data retention periods.
How to create a data retention policy
Your data retention policy should be part of your overall information security documentation process. The first step is to gain a full picture of exactly what data you’re processing, what it’s being used for and which regulations are applicable to your business.
These regulations include, but aren’t necessarily limited to, the GDPR. For example, if you process individuals’ debit or credit card information, you may be subject to the PCI DSS (Payment Card Industry Data Security Standard).
Similarly, if you intend to comply with ISO 27001, the international standard that describes best practice for information security, you must take note of its requirements.
These compliance requirements will dictate what information must be included in your data retention policy and the rules it should follow.
Broadly speaking, those rules will fit into three criteria:
- The types of information the policy must cover;
- How long you are entitled to keep information; and
- What you should do with data when you no longer have a legitimate purpose to store it.
Best practice data retention strategies
In order to remain compliant with the GDPR’s data retention requirements, you need to know where all your data is. If you don’t keep track of this, it will be much harder to monitor when the retention period expires and to remove the data when necessary
can manage these issues by creating data flow maps to identify the data they hold and where it is moving.
Data flow mapping also enables you to plan how your data will be used and if it will be needed for future use – which is important when deciding retention periods.
Get started with data flow mapping
You can learn more about data flow mapping with our free green paper Conducting a Data Flow Mapping Exercise Under the GDPR. It will help you understand how to effectively map and keep track of the data in your organisation in order to comply with the Regulation.
Data flow mapping can have its challenges, but you can simplify the whole process by using data flow mapping software.
Vigilant Software’s Data Flow Mapping Tool gives you full visibility over the flow of personal data through your organisation, why it’s being processed, where it’s held and how it’s transferred, allowing you to easily create accurate data flow maps.
A version of this blog was originally published on 12 November 2018.