If your business is subject to the EU's General Data Protection Regulation, one of the first tasks to address is the implementation of a GDPR data retention policy that advises “data subjects” what information is being collected, who it's being shared with, what it's being used for, and how long it'll be retained.
Under the 1995 EU Data Protection Directive, businesses operating in the European Union were not supposed to retain data “for longer than is necessary for the purposes for which the data were collected”. This principle was rarely applied, and—as it formed part of a “Directive” rather than a “Regulation”—it was never enforced.
With the introduction of the EU's General Data Protection Regulation (GDPR), the landscape changes completely. Not only do businesses operating in the European Union have to implement a GDPR data retention policy, but any business that collects, processes or stores the personal information of an EU data subject also has to implement a GDPR data retention policy.
- The aims and objectives of the policy
- The scope of the policy
- Who's collecting the data
- The legal basis for processing the data
- Who the data will be shared with
- How the integrity of data is safeguarded
- The Rights of Individuals
- Periods of data retention
- The responsibilities of individuals
- How the policy is enforced
- How the data subject can complain
Issues with creating a GDPR data retention policy
Creating a GDPR data retention policy may sound straightforward but, in practice, it can be extremely complicated. You may have noticed that, in the list of bullet points above, we included the line “periods of data retention” in the plural rather than in the singular. This is because, although a business may no longer have a need for the data “for the purposes for which the data were collected”, the data may have to be retained for regulatory or legal purposes.
For this reason, businesses need to identify what types of data are collected from EU data subjects. They should ensure only the minimum amount of personal information is collected to meet the legal purpose for processing the data, and determine—if necessary—how different elements of the data are stored in order to facilitate Subject Access Requests and regulatory/legal requirements, and to enable the timely deletion of data when regulatory retention periods expire.
A process for the timely deletion of data also has to be designed and documented. If a business is a Data Controller and subcontracts data processing to a third party, due diligence needs to be conducted on the third party to ensure they too have a GDPR data retention policy. If the data processing is done in-house, but via a third party's software application, an agreement still needs to be put in place to ensure compliance with the General Data Protection Regulation.
The benefits of complying with this element of GDPR
Compliance with GDPR isn't an option if your business collects, processes, or stores the personal information of an EU data subject, but there are significant benefits of complying with this element of GDPR. By conducting an audit of your data and deleting any that's superfluous to your needs, you save on storage space and—if your data is maintained in the cloud—you reduce your cloud costs.
If you've organized your data appropriately, you'll save time responding to Subject Access Requests and be able to better resolve requests when data subjects exercise the Right to be Forgotten or the Right of Portability. The audit will also help you identify inaccurate, out-of-date or redundant data, and data that is at risk of misappropriation due to security issues.