The General Data Protection Regulation came into effect in all European Union (EU) states on May 25th, 2018. The new legislation aims to standardize data protection across member states and give more rights to the individuals that the data concerns. Any organization that deals with clients or employees who are EU citizens are required to change their business practices, so they become GDPR compliant. One of the major ways in which companies will have to adjust is in relation their data retention policies.
A company’s data retention policies cover what to information is appropriate for them to keep, and how the data should be stored to maintain the privacy of the individual. Conversely, GDPR-compliant businesses must consider what documents must be destroyed, and the most secure and safe way of doing so.
The GDPR guidelines are rigorous, and companies must be thorough in ensuring that their data retention policies are compliant with the legislation. The company’s retention policy must be clear, unambiguous, and cover a wide range of possible scenarios and circumstances. Without clear policies, it is possible that they may meet legal difficulties, or be unable to serve EU customers.
The GDPR legislation recommends that a minimum period for which data is retained by an organization. The article pertaining to data retention, Article 38, states “…the period for which the personal data are stored is limited to a strict minimum…In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review…”.
This suggests that each company affected by GDPR must update their policies on how much data is stored, and for how long the organization holds on to it. The legislation advocates storing the minimum amount of information that the company needs and storing only the information which relevant to the original purpose of its collection.
GDPR guidelines are specific when they stipulate the manner in which the data is stored. The data should be retained in a form and manner that protects the identity of data subjects. If the individual’s identity is required for the original purpose, the organization must identify them only until the required task is completed. This guideline aims to help protect the anonymity of individuals and introduce EU-wide standards for identity protection for the first time.
GDPR in Practice
Data Controllers in organizations must carefully analyze Article 39 to ensure the requirement for minimization of data and storage is met. GDPR is very strict on the timespan for which data is kept, and for what reasons it is being stored. If it serves no purpose as outlined in its original collection, then there is no viable reason to retain it. Therefore, according to GDPR, it must be safely destroyed.
If it is discovered that data is being held for longer than necessary or being stored when there is no longer a use for it, a hefty fine shall be levied against the organization.
If data is being retained for purposes not part of the reason for its original collection, then the company might well be subject to GDPR-related fines. The fines are controlled to €10-20 million, or 2-4% of the controller’s financial turnover based on the previous year. GDPR lays out the limits for fines, but ultimately it is the relevant supervisory authority who decides the penalty for a specific violation.
GDPR outlines some circumstances in which companies may be justified in retaining data, even if the data subject requests that it is destroyed. Data may be kept if it will one day become valuable, and it is in the public’s best interest that it is retained. Data may be stored for extended periods if it is part of an inquiry of scientific or statistical nature. Similarly, it may be stored if it is of a historical investigation. In these cases, organizations must clearly show that the data is being retained for these stated purposes.
In practice, the storage of data is a key concern when it comes to data retention. GDPR compliant businesses may store their data in-house, or outsources to storage spaces, as long as adequate security measures are in place. Some hard copies will not be able to be stored digitally. Both physical and technical safeguards are necessary to maintain the integrity of the data and ensure that the individual’s privacy is maintained.
Organizations must consider factors such as the cost of storing data, who can access the data and how access to the data will be recorded. New, and potentially expensive, safeguards may need to be installed when it comes to protecting electronic data. Hacking has become a major risk for organizations in many sectors, as sensitive data has a high black-market value. An organization’s data retention policy must clearly state how it stores the data and the safeguards which are in place in order to be GDPR compliant.