After my previous GDPR Subject Access Requests (SARs) blog, you should now be familiar with the new data rights afforded to EU Data Subjects under GDPR and how companies should perform their data inventory and map their data lifecycle. Another step companies may be unaware of is revising their data retention policies in light of GDPR. Important data retention requirements appear in multiple sections of the GDPR, including:
Any processing of personal data should be lawful and fair, yet determining for how long a company should keep data is not cut and dried. A company cannot simply say five days, five months, or five years. They must roll up their sleeves and understand their industry, the regulations to which they are subject to, and, realistically, come to terms with why they to retain personal data. “Longer” is no longer better. Rather, a business risk decision must be made that weighs the benefits of the business processes that use the data versus the liabilities and obligations related to GDPR.
Companies that are currently saving as much data as their archives will allow, in case the data becomes useful, valuable, or necessary in the future, should be taking another look. If your company is not keeping the personal data for legal, contractual, regulatory, research, historical, or audit purposes, the data is probably not needed for longer than one year.
When companies consider how long personal data needs to be kept, whether in their live environments or in backups, they should ask themselves the following questions:
If you answered “no” to any of the above, you will need to have a clear rationale documented as to why the data is being retained. To keep this data, your company must agree that the value of your processing activities outweighs the liability of retaining and securing the data.
The need to store data long-term in data archives or backups varies across different types of companies and industries. You must align your backup retention with the requirements you set.
If retention is for these purposes, it must still be accompanied by “appropriate technical and organizational measures” that safeguard the Data Subjects’ rights and freedoms. Pseudonymization is one such safeguard.
Different types of EU Subject Personal Data may require varying retention periods. The nature, scope, and purpose of the data processing an organization performed needs to be documented. Data must also be stored appropriately. For example, credit card data has to be strictly processed through secure methods, whereas customer preferences or date fields may be handled through less strict controls. Generally, the rule is that it is best to store the minimum amount of data possible in order to perform specified tasks or services under the contract.
If you haven’t done so already, start by defining which data will present the greatest risk to the Data Subject if kept beyond its processing shelf life. This will be of greatest risk to your organization should it be kept longer than necessary. Here is where your organization’s data mapping, classification, and inventory efforts will pay off, as you will have already assessed the risk for all of your data as part of that work.
Once you have determined the minimum amount of time your business processes require the data, consider how to ensure your Processors and backup vendors are able to meet your customized retention policies.
You can use OwnBackup to find where personal data hidden throughout your backup archives and which attachments it may also be hidden within. Whether you determine that you need to keep data for three days, three months, or three years, OwnBackup allows your admins the flexibility to implement a customized retention schedule.
OwnBackup not only allows its customers, Data Controllers under GDPR, to meet their complex, customized retention periods, we are also data partners with them in fulfilling their GDPR obligations. OwnBackup helps its Controller customers meet Data Subject rights, such as Right to Rectification, Right to Erasure, and Right to Data Portability, as it applies to personal data within backups and archives.
Register for the GDPR Right to be Forgotten - Compliance for your Backups webinar to learn more about defining your customized data retention period.
Visit our website to find out more about OwnBackup’s GDPR data protection solution and find answers to some of the most commonly asked questions that we’ve received at our GDPR webpage.