If you’re a privacy professional or have ever been involved in a GDPR project, you’ll probably know that retention periods (and -policies) are a crucial part of data protection.
But how can you be sure that these retention policies are adhered to and data is indeed deleted or anonymized?
“Are you sure all personal data has actually been deleted?”
… is one of the hardest questions for DPO’s and privacy professionals to answer.
Not only do you have to know where all personal data resides (systems, files, hard drives, DB’s, cloud, paper, cabinets…) – you also need to know “for which data subjects” to delete or anonymize it and avoid solutions or processes breaking while doing so.
Deleting or anonymizing personal data wrongfully can bring your organization down –
while not deleting or anonymizing it causes non-compliance.
In order to help you reduce these risks and increase compliance – we listed 3 rules that will allow you to take control over the execution of your retention periods:
1) Optimize your retention periods and determine when to delete.
Some retention periods are easy to determine – they are linked to specific legislation (e.g., HR, FI, …) or a code of conduct. Most retention periods however are determined based upon a gut feeling.
Retention of data should make sense… to the data subject. Therefore – make sure that you can demonstrate an actual benefit or need for the data subject. This will reduce your retention periods.
E.g.: if a significant number of data subjects still requests their data, x years after their contract was terminated – then your retention period can reflect those “x” years.
Few companies have determined when to delete or anonymize data. Therefore, agree on pre-defined execution of your retention periods with your data or IT team.
E.g.: deleting or anonymizing on a monthly or quarterly basis allows you to prevent personal data from being stored for too long and makes sure personal data is actually getting deleted.
2) Understand where your personal data resides (directly and indirectly).
These days the scope of personal data is huge, as it covers both directly and indirectly identifiable data. Understanding in which databases, applications, files, documents etc. personal data resides is a close-to-impossible task for most DPO or data protection officers.
Unfortunately, this is a question that keeps data professionals awake at night as well.
Data governance is about understanding your data, its use in business processes and daily life – and knowing in which applications, DB’s files etc. it’s used.
Furthermore, data governance will provide you insights into data flows, data-ownership, classification of data and indicate where personal data of each of the data subjects resides.
Talk to your data (or IT) team – and try to understand if they’re already busy with data governance in one way or another. You’ll be able to benefit from it hugely.
3) Don’t “just” delete or anonymize data.
Deleting or anonymizing data involves serious risks.
Deleting a record of data in an application can cause an application to no longer function properly – resulting in discontinuation of the business and revenue loss.
These days, however, API’s and mature integration tools can bring a solution to (semi-) automatically delete data – based upon insights about your data provided by data governance.
Focus on the core, outsource the rest
Feeling overwhelmed by the workload?
Want to free up time for more meaningful work?
Looking for a fit-and-forget solution?
At Data Trust Associates, we have extensive experience in helping clients from different industries to automate retention policy execution as well as many other compliance processes.
We’re happy to discuss and see how we can help.