Organizations that collect or process the personal data of people residing in the EU need to update their retention policy to make sure it is GDPR compliant. What in particular does this entail?
When collecting or processing personal data, its purpose must be clearly explained to the data subject at the time of collection. In addition, the collected data must be “adequate, relevant, and limited to what is necessary in relation to the purposes for which [data] are processed” (Article 5). Under GDPR, there’s a minimization principle to be followed when it comes to the amount of personal data stored and its retention time.
Data retention, according to Article 5(e), must be only for as long as necessary to achieve the purpose why the data was collected or processed. There are exceptions to this rule such as when the retention of data is necessary for scientific or historical research, statistics or other public interest.
Recital 39 of GDPR requires the data control to establish strict time limits. Data must not retained longer than is necessary. It is the data controller’s responsibility to review data periodically to make sure data are deleted securely when no longer required. If longer data retention is required, the data must be de-identified so that it cannot be used to identify an individual.
Retention of data also requires security controls that prevent the unauthorized access and use of data. There must be safety measures that prevent accidental loss, destruction, or damage of data. All data retained must be kept accurate and up to date.
Rules on data retention are important because the longer data is retained, most likely the data is out of date or inaccurate. Also, in case of a breach, it could mean greater harm on the data subject with more data in retention.
The GDPR will be in full force on May 25, 2018, after which non-compliance may be severely penalized. Financial penalty of up to 20 million Euros or 4% of annual turnover may be issued. If your company does not have a GDPR compliant data retention policy yet, it’s time to develop one especially if you retain the personal data of any EU residents. Use the available checklist below to create a GDPR data retention policy.
- Identify the data covered by your policies
- Set strict time limits on data retention
- Review the methods used to remove physical data and digital data
- Make sure that you have a system in place explaining at the time of collection how long data will be retained and how they data is deleted when no longer required
- Schedule periodic reviews of stored data to check if any information is still required
- Detail in your policy the types of data that may need longer retention
- Sensitive data such as sexual orientation, race, beliefs, and health information must be deleted promptly when no longer required
- Include in your policy the deletion of personal data if an EU resident exercises his right to be forgotten
- State exceptions to general rules on data retention if there is any, such as federal and state laws, litigation holds, etc.
- All employees should know about your GDPR data retention policy.
- Keep a proper documentation of your GDPR data retention policy in case regulators need them for audit or complaint investigation.