In 2016, the Westin Research Center published a series of articles identifying our analysis of the here.
Data retention and destruction
For data retention policies and procedures, we have good news and bad news.
The good news is that the GDPR’s requirements on data retention are, for a change, not complicated or difficult to understand. Indeed, the EU Data Protection Directive and the privacy laws of other countries such as Canada’s PIPEDA have long required that data not be retained or processed longer than the minimum necessary. The GDPR’s data retention requirements merely implement the use limitation principle of the traditional Article 5 sets forth the general principles applicable to personal data processing and commands, under 5(1)(e), that personal data “be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” Logically, prolonged storage is permitted if the data is anonymized and thus no longer “permits identification” of a data subject.
Noncompliance with Article 5 triggers potential administrative fines up to 20,000,000 Euro or four percent of global annual turnover.
Organizations that have failed to routinely purge personal data that is no longer being processed for its original purpose will struggle mightily to meet the Article 5 retention restrictions by the May 25 GDPR implementation deadline. Wholesale data destruction efforts might compromise systems if data is kept in an unstructured format and even structured data can be difficult to delete. Many commercial customer relations management (often called CRM) systems are not set up to allow for complete destruction of records, requiring that fields be written over with anonymizing text rather than deleted altogether. This is incredibly time consuming and for many organizations will require additional headcount – or at least overtime – to complete data erasure by the deadline. Indeed, for commercial CRMs – like Salesforce, for example – format changes (a classic opportunity for data mapping and inventory efforts will pay off, as data should already have been risk-rated in that process.
It’s also crucial to refer to the data retention policy (or amend the existing one) along with its cousin, a Article 30 of the GDPR requires controllers, processors, and their representatives (where applicable) to maintain records of their data processing activities.
For organizations facing data protection laws for the first time, the Article 30 requirements are new and can seem daunting. Organizations operating under their member state’s implementation of the EU Data Protection Directive, however, will find Article 30’s requirements familiar territory because they mimic many of the Directive’s notice and filing responsibilities. Under the U.K.’s Data Protection Act, for example, organizations processing personal data must register— or “notify” — with the Information Commissioner’s Office. The Belgian data protection authority has similar obligations, setting forth a list of required notification information similar to Article 30’s requirements. Indeed, Belgium’s DPA recently published guidelines for Article 30 compliance suggesting notification compliance should be leveraged for Article 30 record-keeping compliance.
The GDPR lifts the Directive’s notification obligations but requires that records kept under Article 30 shall be available to supervisory authorities upon their request.
Much of the information Article 30 requires should have been gathered during the data mapping and inventory process. Indeed, it is possible to combine the efforts, although Article 30 records do not necessarily cover all the requirements a proper mapping and inventory exercise will require. For example, Article 30 mandates that controllers keep records of processing activities along with:
- The name and contact information of the controller, joint controller, the representative where applicable, and the data protection officer.
- The purposes of the processing.
- A description of the categories of data subjects and categories of personal data.
- Categories of recipients to whom the data are or will be disclosed including those in third countries.
- Information on transfers to third countries or international organizations and documentation of suitable safeguards for the transfer. Retention or erasure time limits for categories of data.
- A description of the Article 32(1) technical and organization security measures deployed.
Missing from these required records is an assignment of the lawful basis for processing for each category of personal data and many other GDPR requirements. Thus, relying exclusively on Article 30 recordkeeping requirements may leave an organization without a documented picture of GDPR compliance.
The ICO, for example, recommends that so long as an organization is creating documentation under Article 30, it might also consider adding fields in the records for not only lawful basis, but also records of consent, contracts with processors, data controllers and data processors that contain these additional optional fields and that can double as Article 30 reports. The Belgian Privacy Commissioner advise keeping records anyway, if not obliged by Article 30.
Conclusion
It is well known, now, that the GDPR takes a apartment for rent via photopin