If your organization collects, processes, stores, or transmits data that belongs to or concerns residents of European Union (EU) Member States, you are likely subject to the General Data Protection Regulation (GDPR). One core component of the GDPR is restrictions on retention, which likely necessitates a data retention policy for compliance. Read on to learn how your organization can strategize for and implement such a policy to protect data subjects’ rights.
Simplifying GDPR Compliance with a Data Retention Policy
Although the EU GDPR concerns EU data subjects, it applies to countries irrespective of their locations. If you currently conduct business in Europe or hope to expand to European markets, you’ll need to implement a data retention policy to avoid non-compliance penalties. Consider:
- The particular EU GDPR principle pertaining to data retention (and restriction thereof)
- Additional EU GDPR principles concerning the collection and use of personal data
Depending on the scope of data processing and the EU Member States you deal with, your organization may need to designate a Data Protection Officer (DPO) to enforce your policy.
EU GDPR Principle Applicable to Data Retention Policies
The EU GDPR is a massive framework comprising 99 Articles distributed across 11 Chapters. Within these, one, in particular, is most applicable to data retention: Article 5, paragraph 1, part (e). In the context of other principles governing the collection and processing of personal data, 5.1(e) specifies that personal data collected may be retained—in ways that allow identification—for no longer than is expressly necessary for the specific purposes for which it was collected.
In practice, this means that an organization must eliminate all covered personal data, or render it unidentifiable, as soon as it no longer serves the exact purpose it was collected to serve.
Is There a Specific, Enforceable GDPR Data Retention Period?
It stands to reason that the process of deleting files or personally identifiable elements therein may not be instantaneous. However, the wording of EU GDPR Article 5.1(e) is relatively vague; it does not specify a threshold for how soon the data must be eliminated once it has served its purpose. It’s best to account for this uncertainty with data retention policy best practices, like:
- A data minimization approach, seeking to retain as little data as possible
- Continuous monitoring of all data, cross-referencing consent agreements
- Wider ranges of data use specified in agreements, allowing for flexibility
Working with a managed security services provider (MSSP) to assess and optimize data retention practices beyond GDPR-specific requirements is one comprehensive solution.
Exceptions to Retention Restrictions for Special Use Cases
The restrictions on retention do not apply unilaterally to all data, and some explicit exceptions allow for retention beyond agreed-upon purposes. These correspond to public interests such as scientific and historical research, which are specified in further detail in EU GDPR Article 89.
In practice, the most critical consideration is that sensitive personal data is not sitting idly in networks for no reason. Consider the following bare-bones data retention policy examples:
- Data is not retained by default unless there is a specific reason it must be; regular assessments verify whether the reason exists and deletes data if it no longer does.
- Data is retained in ways that minimize or eliminate personally identifiable information (PII); regular scans via PII scanner ensure that none is retained unless necessary.
Either of these may form the core of a data retention approach or may be combined with other security information event management (SIEM) systems to maintain EU GDPR compliance.
Other EU GDPR Articles Applicable to Data Processing
Article 5.1(e) is the principle that applies most directly to data retention for GDPR compliance, but it is not the only applicable principle to overall data protection. Chapter 2 comprises seven articles in total, with the essential principles defined in Article 5 and further expanded on in 6-11.
These principles correspond to fundamental rights the EU GDPR grants to European data subjects, covered in detail across Chapter 3 (Articles 12-23). The rights of data subjects are:
- The right to transparency of information and accessible modalities for communication.
- The right of access to personal data and access to information concerning said data.
- The right of rectification and erasure of personal data (i.e., the “right to be forgotten”).
- The right to object to given decision-making processes, including automation.
The principles are general starting points from which to build policies to uphold these rights.
Article 5.1(a): Lawful, Fair, and Transparent Data Processing
First, Article 5.1 specifies that data processing of personal data must be done in a lawful, fair, and transparent manner with respect to the data subject.
Adherence must account for legality based on local laws—relative to the subject’s country of origin or residence—along with applicable regulations from the organization’s location. Fairness relates to the expectations set forth in agreements and communication between the organization and data subject, which are generally made upon the latter’s first interaction with the former’s website or service delivery. Finally, transparency involves the efforts made to make all practices explicit, clear, and accessible—up-front or at the subject’s request.
Article 5.1(b): Explicit, Specific, Legitimate, and Limited Purposes
This principle requires the establishment of purposes for data collection and processing upon collection from the data subject. It also requires that any data collected for given purposes is not then processed or used in other ways beyond those specified in the initial notice upon collection. This is closely related to data retention restrictions in 5.1(e). Likewise, it also contains exceptions for further data processing in the public interest, as defined in Article 89.
Article 5.1(c): Adequate, Relevant, and Minimized Data Processing
Referred to as “data minimization” in its defining language, this principle is the most straightforward of the six clauses in 5.1. It restricts data upon collection to that which is adequate, relevant, and necessary for the specific (and legitimate) purposes named upon collection (see 5.1(a-b)).
Article 5.1(d): Assurance of Accurate and Up-to-Date Information
This principle has less to do with restrictions on data collection and processing than the integrity of all collected, processed, and retained data. Specifically, this principle requires that an organization search, assess, and correct any inaccuracies in its repositories. According to GDPR language, organizations must take all “reasonable steps” to eradicate inaccurate personal data, except for any that serve an explicitly established and legitimate purpose (i.e., historical research, etc.).
Article 5.1(f): Safeguards for Data Integrity and Confidentiality
The final point in paragraph 1 of Article 5 requires implementing and maintaining “appropriate security” to protect all personal data that organizations possess. It does not specify what constitutes “appropriate” protections, besides:
- Protection against unlawful or authorized access or use of personal data
- Protection against accidental losses of or in, or damage to, personal data
- Protection against destruction or loss, accidental or not, of personal data
One way to address these and other protections is by implementing robust threat and vulnerability management. These solutions or managed services identify risk factors before they become cybersecurity incidents and impact personal data.
Note: Paragraph 2 of Article 5 also specifies that the data controller is responsible for the organization’s compliance with paragraph 1. The controller is defined in Article 4 as an entity that determines an organization’s purposes, means, and other dynamics of data processing.
RSI Security’s EU GDPR and Data Protection Services
Regardless of your business’s location, you are likely to come into contact with some protected data belonging to or concerning EU citizens. Sooner or later, you’ll need to implement policies for EU GDPR compliance, including a designated data retention policy.