In 2016, the Westin Research Center published a series of articles identifying our analysis of the top 10 operational impacts of the European Union’s General Data Protection Regulation. Now, with the May 25, 2018, GDPR implementation deadline looming, the IAPP is releasing a companion series discussing the common practical organizational responses that our members report they are undertaking in anticipation of GDPR implementation.
This fifth installment in the 10-part series addresses the important tasks of keeping records of data processing in compliance with Article 30 of the GDPR and the disciplined destruction of personal data no longer in use. The first four installments of the series on data mapping and inventory, identifying legitimate bases for data processing, building and data governance system, and assessing data processing risks can be found here.
Data retention and destruction
For data retention policies and procedures, we have good news and bad news.
The good news is that the GDPR’s requirements on data retention are, for a change, not complicated or difficult to understand. Indeed, the EU Data Protection Directive and the privacy laws of other countries such as Canada’s PIPEDA have long required that data not be retained or processed longer than the minimum necessary. The GDPR’s data retention requirements merely implement the use limitation principle of the traditional Fair Information Practices: Keep personal data only so long as necessary to fulfill the original basis for collecting and processing it — and no longer.
The bad news is that actually following through on this requirement and deleting personal data is one of the most difficult tasks an organization may attempt and many organizations are already woefully out of compliance with current privacy laws. After all, it is human nature to hoard and save in case something may be useful, valuable, or necessary later. Information —especially the personal data of former customers who may become future customers — is inherently valuable to an organization. Moreover, what are the chances of getting caught? Enforcement actions are rarely brought merely on an organization’s excessive data retention practices; that is, unless they are discovered following a security breach.
The GDPR commands that these hoarding instincts be overcome.
Article 5 sets forth the general principles applicable to personal data processing and commands, under 5(1)(e), that personal data “be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” Logically, prolonged storage is permitted if the data is anonymized and thus no longer “permits identification” of a data subject.
Noncompliance with Article 5 triggers potential administrative fines up to 20,000,000 Euro or four percent of global annual turnover.
Organizations that have failed to routinely purge personal data that is no longer being processed for its original purpose will struggle mightily to meet the Article 5 retention restrictions by the May 25 GDPR implementation deadline. Wholesale data destruction efforts might compromise systems if data is kept in an unstructured format and even structured data can be difficult to delete. Many commercial customer relations management (often called CRM) systems are not set up to allow for complete destruction of records, requiring that fields be written over with anonymizing text rather than deleted altogether. This is incredibly time consuming and for many organizations will require additional headcount – or at least overtime – to complete data erasure by the deadline. Indeed, for commercial CRMs – like Salesforce, for example – format changes (a classic opportunity for privacy by design) may be required in the future to help controller clients more easily meet data destruction requirements under the GDPR.
Until then, organizations will be in triage mode. This requires identifying which personal data will present the greatest risk to the data subject if kept beyond its processing shelf life, and by extension will be of greatest risk to the organization should its unlawful retention be discovered. Here, the organization’s data mapping and inventory efforts will pay off, as data should already have been risk-rated in that process.
It’s also crucial to refer to the lawful basis assigned to the original processing because that will help determine whether processing is still being pursued on that basis, or whether such basis has expired. Although Article 5(1)(e)’s data retention language references the expiration of the “purposes for which personal data are processed,” and Article 6 discusses the lawfulness of processing generally, it is logical to connect the processing “purpose” to its “basis” as those terms are often cross-referenced in Article 6 (e.g. “the purpose of the processing shall be determined in that legal basis,” or “the processing is necessary for the purposes of the legitimate interests of the controller”).
The organization’s privacy lead must also implement a data retention policy (or amend the existing one) along with its cousin, a data destruction policy, to provide guidance around when and how data is to be deleted and/or destroyed (i.e. when data processing purposes expire for each category of personal data). These policies may be combined, but at a minimum should be referenced in the Article 30 data processing records, discussed below. Such policies will be meaningless, however, unless the highest levels of management are consulted and convinced to support them. The privacy lead or team may draft such polices, but many people within the organization are likely to be involved in complying with them, from the information technology team to customer relations staff. Reliable tools for easing this process – personal data search and discovery, for example – are presently difficult to find and many organizations will have to tediously and manually track down records that are ripe for destruction or anonymization.
The GDPR allows for secondary data processing and for longer data retention in the following circumstances: (a) for archiving purposes in the public interest; and (b) for scientific or historical research purposes or statistical purposes. If retention is for these purposes, it must still be accompanied by “appropriate technical and organisational measures” to safeguard the data subjects’ rights and freedoms. Psuedonymization is one such safeguard.
Article 30 record-keeping requirements
Article 30 of the GDPR requires controllers, processors, and their representatives (where applicable) to maintain records of their data processing activities.
For organizations facing data protection laws for the first time, the Article 30 requirements are new and can seem daunting. Organizations operating under their member state’s implementation of the EU Data Protection Directive, however, will find Article 30’s requirements familiar territory because they mimic many of the Directive’s notice and filing responsibilities. Under the U.K.’s Data Protection Act, for example, organizations processing personal data must register— or “notify” — with the Information Commissioner’s Office. The Belgian data protection authority has similar obligations, setting forth a list of required notification information similar to Article 30’s requirements. Indeed, Belgium’s DPA recently published guidelines for Article 30 compliance suggesting notification compliance should be leveraged for Article 30 record-keeping compliance.
The GDPR lifts the Directive’s notification obligations but requires that records kept under Article 30 shall be available to supervisory authorities upon their request.
Much of the information Article 30 requires should have been gathered during the data mapping and inventory process. Indeed, it is possible to combine the efforts, although Article 30 records do not necessarily cover all the requirements a proper mapping and inventory exercise will require. For example, Article 30 mandates that controllers keep records of processing activities along with:
- The name and contact information of the controller, joint controller, the representative where applicable, and the data protection officer.
- The purposes of the processing.
- A description of the categories of data subjects and categories of personal data.
- Categories of recipients to whom the data are or will be disclosed including those in third countries.
- Information on transfers to third countries or international organizations and documentation of suitable safeguards for the transfer. Retention or erasure time limits for categories of data.
- A description of the Article 32(1) technical and organization security measures deployed.
Missing from these required records is an assignment of the lawful basis for processing for each category of personal data and many other GDPR requirements. Thus, relying exclusively on Article 30 recordkeeping requirements may leave an organization without a documented picture of GDPR compliance.
The ICO, for example, recommends that so long as an organization is creating documentation under Article 30, it might also consider adding fields in the records for not only lawful basis, but also records of consent, contracts with processors, data protection impact assessment reports, location of personal data, and even references to security incidents or data breaches. The ICO has developed templates for data controllers and data processors that contain these additional optional fields and that can double as Article 30 reports. The IAPP 2017 Privacy Tech Vendor report also describes commercial tools available to assist companies with Article 30 compliance.
Because Article 30 reports are subject to a regulator’s review upon demand, keeping too much information in one place may not be advisable in all cases. It may depend, as well, on who has control over the Article 30 records. A crowd-sourced document such a shared file that many people throughout the organization can update may have the benefit of capturing new data processing activities quickly and efficiently, but it may also contribute to record-keeping errors or misinformation. A field for “data breach” as recommended by the ICO could have legal consequences, so care should be taken in completing that field. Thus, a data inventory and mapping tool, or even a comprehensive record of data processing activities, lawful basis assignment, and security incident tracking may best be controlled by a trained privacy leader or team, and may not be the same document as the Article 30 report. Each organization must decide this for itself.
Article 30’s SME exemption
The final version of the GDPR has few carve-outs for companies with fewer than 250 employees – the consummate “small- and medium-sized enterprises,” or SMEs. For the most part SMEs must comply with the GDPR just as large organizations do.
Article 30 offers the one explicit exception. Under subsection 5, controllers and processors “employing fewer than 250 persons” are not obliged to keep records unless their processing:
- Is likely to result in a risk to the rights and freedoms of data subjects.
- Is not occasional.
- Includes special categories of personal data under Article 9(1) or criminal conviction and offences data under Article 10.
For those SMEs hoping to simply ignore Article 30, a note of caution: Any SME already feeling obliged to comply with the GDPR is likely processing data more than “occasionally.” Moreover, DPAs such as the Belgian Privacy Commissioner advise keeping records anyway, if not obliged by Article 30.
Conclusion
It is well known, now, that the GDPR takes a risk-based approach to data protection. Strict data retention policies and practices are not only required under the GDPR, they are also crucial risk-mitigation tools, for data that has been deleted, destroyed and/or anonymized is no longer vulnerable to breach and cannot, therefore, put the organization who processed it in the position of violating the rights and freedoms of data subject. Adopting routine data destruction habits can also lead to good lawful basis hygiene as well, for it encourages each processing activity to have a single and independent basis, that must be assigned each time a data subject stops and starts again as an organization’s customer.
Having a sound sense of what data is processed for what purpose, where and with whom it is shared, and other key information required to be recorded under Article 30, will help an organization keep track of its data practices including in maintaining retention schedules. Whether Article 30 records serve as comprehensive maps of an organization’s data processing, risk assessment, vendor contracting, and breach response activities is of course up to each organization and its DPO. But at least adaptable tools and templates are now available to help with the process.
photo credit: whizchickenonabun apartment for rent via photopin (license)