The determination of the data retention periods applicable to the different categories of processed personal data is a difficult quiz to solve under the GDPR.
You can review my video in Italian on the topic below and/or read the more detailed article on the topic:
Same data minimization principle, but more transparency and risks
The obligation to store personal data for a period that is not longer than the one necessary for the purposes of the data processing is a principle already prescribed under the existing EU Privacy Directive 95/46. However, such principle is now placed in the regulatory framework introduced by the European General Data Protection Regulation (GDPR) which not only provides for considerably higher sanctions, but, among others, requires to expressly specify
“the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period”
in the privacy information notice. Therefore, data controllers will have to explicit such period towards their customers, employees, and vendors.
Also, given the notification obligations applicable in case of data breaches, it would be difficult to justify a data breach in relation to personal data that was meant to be already erased. In this scenario, the risk of potential sanctions and claims from individuals would become even more relevant.
Such circumstances require a new approach to data retention obligations. But this change is happening during a period when there is a general tendency to collect as much data as possible since there is no culture of the risks associated to potential privacy breaches and because with the technological evolution, new ways of exploiting data might be identified. Indeed, most of our clients either had no data retention policy in place or they were not fully complying with it.
How to determine the relevant data retention period under the GDPR?
First of all, there is no single solution that fits all. The applicable data retention period changes not only depending on the type of personal data and the purposes of the processing, but also on the type of business in which the company operates.
The prior decisions from the data protection authorities on the applicable data retention periods can be of support, but they cannot be considered binding under the GDPR. This is because they were issued under different regulations and because the main goal of the EU General Data Protection Regulation is to ensure consistency across the EU Member States.
Also, the GDPR does not provide for a system of prior approval by the competent privacy authority because the prior consultation provided by the GDPR is meant to be performed only
“Where a data protection impact assessment indicates that the processing would, in the absence of safeguards, security measures and mechanisms to mitigate the risk, result in a high risk to the rights and freedoms of natural persons and the controller is of the opinion that the risk cannot be mitigated by reasonable means in terms of available technologies and costs of implementation”.
Therefore, it is not possible to have a confirmation of the correctness of the followed approach by the data protection regulation. In compliance with the so-called “risk-based approach” which is the basis of the accountability principle, data controllers shall determine the applicable data retention periods, also indicating in their accountability program the criteria that were followed in such determination. This is because, in a potential privacy audit, companies shall be able to justify the data retention periods that have been adopted.
How to ensure that data retention periods are complied with?
Once data retention periods have been determined, this is only half of the required effort. It is necessary to put in place also the technical and organizational measures necessary to ensure that the company can timely comply with such terms in relation to the processed personal data.
The manual management of data might be sufficient with small companies and in general companies that do not manage large databases. However, in other scenarios, it is necessary to adopt a data management system which enables to track data and ensure their erasure (or their limitation of processing, if data can still be used for other purposes) at the expiry of the applicable period.
Such data management system is also necessary to ensure compliance for instance with data portability requests and to manage data breaches. Therefore, it can be considered as one of those requirements that are not expressly indicated in the GDPR but are necessary to comply with its principles.
Do you share my interpretation? What is your view on the above? If you found this article interesting please share it on your favorite social media.