Data removal or data erasure is triggered by the expiry of the data retention period. When the data retention period expires, any further processing of the data by the Organization becomes illegal.
Data retention refers to keeping or storing the Organization’s data for different purposes such as everyday business operations, demonstrating compliance with the supervisory authority, or complying with a particular law.
In order to minimize the risk of non-compliance, once the data retention period expires, the organization must remove personal data from its systems.
Data removal is executed either by deleting the data or, more often, by anonymizing identifiable data.
In order to schedule data removal in a compliant way, the prerequisite is to keep compliant records of processing activities and to have a 360° view of the Data Subject personal data processing.
We have talked about new challenges arising from keeping a compliant ROPA (Record of processing activities) in real-life situations.
Collected data sets are going to go through the typical personal data lifecycle journey.
The journey ends with data destruction in the form of anonymization or deletion.
To be able to go through this entire journey completely compliant, there are specific steps you need to take. This time we will be focusing on requirements for GDPR compliant personal data erasure, that involves:
- keeping compliant records of processing activities
- defining the purpose of data processing
- and the lawful basis for data processing
Compliant Records of processing activities
If you are a DPO, you already know that the Records of processing activities should represent documentation of all activities around personal data processing within your Organization.
As it is described in Article 30, that includes some of the following;
- WHO is processing the data: the name of the Data Controller and, where applicable, the joint controller, the controller’s representative, and the DPO;
- a description of the processing, explaining HOW the Organization is processing personal data
- the purpose of processing explaining WHY the Organization is processing personal data
- a description of the categories of data subjects and the categories of personal data;
- the categories of recipients to WHOM the personal data have been or will be disclosed
- For HOW LONG do you need to keep the data after the initial processing purpose expiry
However, having control over technical execution is far more complicated. As a DPO, you need to be able to understand and monitor how data retention and data erasure policies are put into practice.
The Purpose of Processing Activities
Defining the purpose of the processing activities is one of the mandatory requirements for keeping compliant records of processing activities.
The purpose is always connected to a business process, either administrative, regulatory, or related to the core business.
Answering the question of why you are processing personal data calls out for the next important question; what lawful basis do you rely on when processing personal data?
The Lawful Basis for Processing
As you already know, there can only be 6 possible lawful bases for personal data processing;
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interests
Organizations need to conduct an assessment to specify the lawful basis for processing, and the result must be one clear and documented lawful basis for every processing activity.
You must take measures to ensure that you do not process personal data without a lawful basis.
It may seem like we are deterring from the topic, but it is important to notice
One of the key pieces of information that you need to define in order to have a compliant ROPA is a data retention period for each processing activity.
Requirements for compliant data erasure:
- Compliant Records of processing activities
- Defining the purpose of processing activities
- Defining the lawful basis