Issuing a sell-by-date on food products protects consumer health. Issuing a data deletion policy protects consumers’ privacy.
Many businesses are asking: how long can you store data under GDPR? Like the regulation regarding sell-by-dates, EU regulators have stated that the personal data you hold must have a shelf-life.
Let’s discuss what this means for you as a business.
Do You Need to define the data retention period?
Most articles within the GDPR will require some form of documentation to show that your organization is complying with the regulation, and data retention is no different. The documentation must provide details of the processing and activities that outline the data life cycle.
However, it is not enough to keep a document detailing the data retention period; you must also put it into practice. The regulation does not specify any standard retention period, as it is a function of two principles:
- Storage Limitation: the principle that directly relates to this compliance measure
- Purpose Limitation: this principle relates to the reason for processing, which we will get into later on.
Defining the retention period will require your to understand these two principles and how your organization will put them into practice.
Storage Limitation Principle
The storage limitation principles state that you should keep personal data for as long as the purpose is unfulfilled. Once the data has served its purpose, you should then delete it.
However, this goes beyond data just serving its purpose. If you are collecting data and it is just sitting around, you will need to consider deleting it and stop any further collection of that specific data category.
Neglecting this “hygiene” process could result in non-compliance and could land you a fine. This brings us to the following, principle, purpose limitation.
Purpose Limitation Principle
In discovering a data retention period, and therefore a data retention policy, you will need to define this retention’s purpose. The Purpose Limitation Principle states that the collection of PII is characterized by a specific, explicit, or legitimate interest.
Outline this purpose before any collection or processing of personal data. This step is vital because the regulation also states that any further processing that is not in line with the purposes outlined will violate the law.
In this case, you will need to ask yourself:
- Why am I collecting this data?
- What will business operations require in the processing of this type of data?
Discovering these two purposes will help you develop a retention policy and give you an idea of an information deletion time frame.
Under the GDPR, you cannot keep personal data indefinitely.
However, there is an exemption to this rule. Processing to archive or that are within the public interest is still lawful. There is no need for a retention policy in these two cases, and the data can be stored indefinitely, given that there are appropriate technical and organizational safeguards are implemented.
What should we do with personal data that we no longer need?
Data that you no longer need must be disposed of correctly. Generally, part of the data flow map contains a section showing what happens to data at the end of the information life cycle.
However, data deletion has some alternatives; you could fully anonymize the data or remove all identifiers. But this might cause more hassle than just deleting it. The benefits are that you can keep some form of anonymized data as a tracking tool.
The tracking would be separate from any services or products that require personal data. An example is to use anonymized data when tracking the total number of customers that visited your site over its entire operation.
In short, it is a requirement under the GDPR for the deletion of any personal data your organization no longer uses; avoid the accumulation of data lakes.
What if my data is shared between organizations?
It is ubiquitous for companies to share the data they process in the current business environment, especially in the same business network. The GDPR doesn’t explicitly ban personal data sharing; the regulation, rather than hamper business operations, tries to bring light to the need for privacy by design and default.
When sharing personal data with a third-party network, the first thing you will need to do is ensure that your customers are made aware of this fact. In terms of the data retention policy, you will need to decide that with your business partners.
Discuss with the business network what the appropriate steps are for data deletion, and then write it up as part of the data retention policy. If you are purely a data processor and not the data controller, it may be best to return the data to the controller when the purpose is fulfilled, without keeping a copy.
This policy will limit your customers’ privacy risks and free up server resources, especially if your organization can process the borrowed data virtually through cloud technologies or virtual machines.
Regardless of what method you chose, the onus is on the business network to devise a compliant policy.
Benefits Of Developing a Data Retention Policy
There are benefits of defining a data retention policy:
- Avoiding data lakes and graveyards: a data lake is when the organization or information system collects unnecessary personal data. The data is excessive because it usually has nothing to do with the business operation or services provided. Keeping a data lake is not allowed under the regulation. Defining a retention period can help eliminate excess data collection. Conversely, the data graveyard, as the name suggests, is a graveyard of inactive personal data. This data usually sits in a storage system without ever being touched. A data retention policy will help you define a time frame for when you should destroy static data.
- Saving resources: using the example of data lakes and graveyards from above, this retention policy will ultimately save you time and money. The data retention policy will also improve the information system’s speeds; cleaning the “pipes” of the infrastructure is the best way to improve flow.
The requirements laid out by the regulation are clear that your organization cannot keep personal data indefinitely. However, regulators have not designated a specific period on when you should delete data.
The data retention policy should help you by fulfilling the purpose limitation principle outlined in the regulation. Meaning your organization should limit data collection to allow the data subject to receive the product or service for legitimate business operations.
This limitation will give you an idea of when you should delete data, i.e., when the data has served its intended purpose or if the data subject has pulled out of any contract and no longer requires the service.
So under GDPR, how long can data be stored? Like many of the other articles within the regulation, it depends.
Regardless you should have some data retention policy to document when you intended to delete data, as per compliance requirements.
Data protection and privacy requirements can be challenging to comprehend. If you are looking for advice or need help developing a compliance strategy, get in contact with RSI Security today. Schedule a consultation here.