How to automate data retention obligations

Organizations today produce, share, collect and process more data than ever, from different sources and channels, from customers, employees, partners, and vendors.

Some of that information organizations are obligated to collect and keep according to different laws and regulations for years or even a decade.

Data retention obligations vary from country to country, adding to the complexity of the legal landscape that prescribes how long organizations should store and keep data when to remove data (delete/anonymize), and when to keep data in view of litigations.

According to filerskeepers, in every country you are established, there are at least 50 specific retention periods applicable to personal data you collect and store.

Additionally, identifying data retention policies can be a very extensive task, and having a policy does not equal to having that same policy implemented into your systems and onto your datasets.

With the advancement of technology, there are cost-effective and elegant solutions that can ease navigating through data retention obligations.

What is a data retention policy?

A data retention policy is a set of guidelines and rules that regulates for how long the organization is keeping or storing the data for different purposes such as everyday business operation, demonstrating compliance with the supervisory authority, or complying with a particular law, and how to orchestrate data deletion.

Organizations have to ensure that their data retention policies are compliant with all applicable data retention laws and demonstrate they are able to delete and retain personal data according to specific regulatory requirements or laws.

Aside from the General Data Protection Regulation (GDPR), several new privacy regulations address data retention requirements, which instruct organizations to only hold essential and critical data, eliminate personal data that is no longer in use, and be able to demonstrate compliance and justify the retention and deletion periods.

Data retention and GDPR

As we mentioned before, privacy laws and data retention are closely intertwined. However, often privacy laws, just like the GDPR, only prescribe general requirements, like an obligation to justify the storage of data and to implement data deletion policies.

GDPR introduces the storage limitation principle that stipulates that personal data should be kept for no longer than is necessary for the purposes for which the personal data are processed, but that is as specific as it goes.

That is why data protection authorities have specified these generic rules and issued guidelines for certain categories of data, and each specific law prescribes data retention policies for obtaining personal data.

However, where there are no guidelines, it is up to companies to determine for how long they should keep data and identify the data retention period for each specific purpose.

Keep in mind that GDPR also requires you to set standard retention periods, wherever possible, to comply with documentation requirements.

Defining data retention policy

After everything has been said, you will need to consider the following:

• Specific laws for each country where you are established. For example, tax laws or employment laws define for how long you need to keep data
• DPA’s guidelines for data retention for certain categories of data
• Define data retention for each specific purpose that is not defined by laws or guidelines

The question remains, how to scan all applicable laws and successfully track any changes and updates that may occur? And, more importantly, how to apply those rules to your systems?

Filerskeeper’s records retention schedules

Trying to identify all data retention obligations that apply to your business could require certain resources, consultants, or lawyers.

However, it can be indispensable to have a data retention schedule database that you can access and check anytime, that is simple and actionable, and that you can trust and know it is up to date.

filerskeepers (FK) is a database for record retention schedules that reads all the laws and regulations in search of records retention obligations and statutory limitations.

It currently covers 235 countries so far, 229.525+ retention periods researched and counts 977 retention periods per country on average. 

FK explains who should store data, what data should be stored, for how long, and from which legal source this obligation originates (legal reference). filerskeepers data retention schedules include all legal and regulatory rules which prescribe or inspire the storage and deletion of data or records.

From tax records to medical records, Human Resources to payrolling, from statutory limitations to privacy laws, and from regulatory to environmental retention periods.

Automation with DPM

Once you have defined data retention policies with the help of filerskeepers, the next challenge is the implementation of those policies on datasets and automation of the entire process.

This is where technology steps in. When Data Privacy Manager is paired up with filerskeepers, it enables companies to decide which retention period to choose per system or document category by providing insight into the legal maximum and minimum retention periods applicable in the countries relevant to users.

filerskeepers works as a Data Privacy Manager add-on that allows you to:

• Swiftly identify data retention schedules of hundreds of countries across any industry
• Save time and resources searching different sources to identify which rules apply in each relevant jurisdiction
• Record what data to store and the retention period for that data
• Demonstrate compliance with data retention obligations, by enforcing the decisions within the legal framework down into the data
• Know when personal data needs to be deleted or for how long you need to store it
• Comply with the GDPR and storage limitation principle

DPM integration with FK allows DPM Customers to purchase FK subscriptions for a single country, multiple countries, or all countries.