There are numerous real-life situations where data removal should be executed. A simple “Right to be forgotten” request can put a spin on your compliance journey in a matter of seconds.
When you are obligated to delete personal data, there are numerous challenges ranging from defining data retention and data deletion schedules, locating the data, and orchestration and automation of the deletion.
What is Data Retention
Data retention refers to keeping or storing the organization’s data for different purposes such as everyday business operations, demonstrating compliance with the supervisory authority, or complying with a particular law.
The data retention period is a period defined on a reasonable level of granularity. Usually, on processing activity or data category level, defining how long the personal data can be stored after the lawfulness of original business purpose expires.
Automation of Data Retention
It all starts with the implementation of the GDPR requirements around Personal Data Lifecycle Management.
If your organization is processing large volumes of personal data, we advise you to automate most aspects of Personal Data Lifecycle Management, to mitigate the risk of non-compliance and reduce manual labor. This includes the removal of personal data.
Removal of personal data needs to be in line with your data retention policy because a set of personal data needs to be removed when the data retention period for that data set has expired.
Struggle with the automation of personal data removal can usually be attributed to the complexity of the Regulation requirements and the need to understand both legal and data aspects of the GDPR.
Contributing to the problem is the fact that the GDPR does not give instructions on how to operationalize the process. Therefore, organizations are left with no advice on how to execute the operationalization process.
Also, most Enterprises today have complex heterogeneous IT environments, collecting large volumes of data in different structures. It is not uncommon for an organization to have a hybrid data environment, including Cloud and on-premise applications and/or data storage systems.
Furthermore, personal data processed by the Organization, come in different structures including structured data (e.g., relational databases), semi-structured data (e.g., XML and JSON documents in Non-SQL databases), and unstructured data (e.g., free text content originating from social networks, health records, audio, video, etc.).
Operationalization of Data Removal
The DPO needs to ensure the organization implements measures that allow only the processing of personal data that relies on a clear lawful basis.
The measures need to include personal data removal after the expiry of the data retention period.
Any processing of personal data after the expiry of a data retention policy is illegal, and the organization would be in violation of the GDPR with an increased risk of fines.
Another factor attributing to the complexity is the fact that most data retention periods are defined as an absolute period (e.g., two years).
Each Data Subject’s personal data set processed by the Organization may have a different expiry date depending on the moment when the Organization acquired that personal data set.
While the data retention period is defined for each processing activity, the expiry date needs to be dynamically calculated for each personal data set (data removal schedule).
Personal data sets describe a data subject, and its expiry date is related to the business process, which can consist of multiple processing activities.
Example of Data Removal Operationalization
An example of a business process is a home loan contract in a Bank.
When a Customer (Data Subject) signs a home loan contract with the Bank (Data Controller), his/her personal data are collected and processed in several processing activities, depending on the data flow of a home loan business process.
Usually, in this process, data subject’s personal data will be processed at least for the creation of a personal account in the bank’s IT system (e.g., bank’s core system, CRM system, etc.), Bank’s regulatory obligations (e.g., reporting to the National Bank), internal reporting (e.g., Bank’s financial reporting) and risk assessment.
Each of these processing activities may process personal data in different systems, and the amount of personal data included in processing may vary depending on the purpose of the processing.
Since processing is done for different purposes and with different lawful bases, they also have different data retention periods.
The GDPR compliant processing of personal data occurs during the period in which the home loan contract between the data subject and the bank is active since the data subject’s personal data is needed for day-to-day operations (invoicing, dunning, reporting, etc.).
However, when the contract becomes inactive due to contract expiry or cancellation, the data removal date needs to be calculated for the personal data set related to that particular contract.
Any further processing of any personal data after the removal date is illegal because the lawful basis for the processing of that specific data does not exist anymore.
At the moment of contract expiry, some personal data will need to be removed immediately from specific systems (e.g., data processing for the purpose of internal bank reporting, invoicing, marketing), and some data will be kept for the defined data retention period (e.g., 11 years for financial records due to a banking regulation).
Effectively, the Bank needs a Data Retention schedule and Data Removal schedule as a part of the data removal implementation.
The data removal schedule is a list of data with the following information:
- data subjects identifier(s),
- processing activities and purposes,
- systems and location of the data,
- data categories and data types,
- when the processing must be stopped and data need to be removed permanently.
Moving away from the Bank example, the same principles are applied to every Organization processing personal data.
Once the organization implements the process for continuous and automatic calculation of data retention and data removal schedules, then downstream processes for data removal can further be automated.
It is important to note that the data removal schedule needs to include technical information about the location of data in the Organization’s systems.
Continue reading about the demonstration of compliance after data removal in our eBook: