If your business is subject to the EU´s General Data Protection Regulation, one of the first tasks to address is the implementation of a GDPR data retention policy that advises “data subjects” what information is being collected, who it is being shared with, what it is being used for, and how long it will be retained.
Under the 1995 EU Data Protection Directive, businesses operating in the European Union were not supposed to retain data “for longer than is necessary for the purposes for which the data were collected”. This principle was rarely applied, and—as it formed part of a “Directive” rather than a “Regulation”—it was never enforced.
With the introduction of the EU´s General Data Protection Regulation (GDPR), the landscape changes completely. Not only do businesses operating in the European Union have to implement a GDPR data retention policy, but any business that collects, processes or stores the personal information of an EU data subject also has to implement a GDPR data retention policy.
Creating a GDPR data retention policy may sound straightforward but, in practice, it can be extremely complicated. You may have noticed that, in the above list of bullet points, we included the line “periods of data retention” in the plural rather than in the singular. This is because, although a business may no longer have a need for the data “for the purposes for which the data were collected”, the data may have to be retained for regulatory or legal purposes.
For this reason, businesses need to identify what types of data are collected from EU data subjects. They should ensure only the minimum amount of personal information is collected to meet the legal purpose for processing the data, and determine—if necessary—how different elements of the data are stored in order to facilitate Subject Access Requests and regulatory/legal requirements, and to enable the timely deletion of data when regulatory retention periods expire.
A process for the timely deletion of data also has to be designed and documented. If a business is a Data Controller and subcontracts data processing to a third party, due diligence needs to be conducted on the third party to ensure they too have a GDPR data retention policy. If the data processing is done in-house, but via a third party´s software application, an agreement still needs to be put in place to ensure compliance with the General Data Protection Regulation.
Compliance with GDPR is not an option if your business collects, processes, or stores the personal information of an EU data subject, but there are significant benefits of complying with this element of GDPR. By conducting an audit of your data and deleting any that is superfluous to your needs, you save on storage space and—if your data is maintained in the cloud—you reduce your cloud costs.
If you have organized your data appropriately, you will save time responding to Subject Access Requests and be able to better resolve requests when data subjects exercise the Right to be Forgotten or the Right of Portability. The audit will also help you identify inaccurate, out-of-date or redundant data, and data that is at risk of misappropriation due to security issues.
Interested in cloud security? Check out 5 Ways to Leverage CloudHealth for SOC 2 Security and Availability Requirements.