The operationalization of data removal is one of the most pressing challenges today and for a reason.
In order to conduct GDPR compliant data removal, the Data Protection Officer (DPO) needs to know where data is stored and have a real insight into the technical and business implications of data removal.
While organizations have been busy collecting consents and putting together compliant records of processing activities, data removal remained overlooked or postponed.
It is important to note that data removal is closely tied to your data retention policies.
So let’s start by focusing firstly on data retention.
Data retention and Data removal
Data retention refers to keeping or storing personal data for different purposes such as everyday business operations, demonstrating compliance with the supervisory authority, or complying with a particular law.
Your organization collects data from employees, job applicants, clients, and subcontractors.
However, what happens when someone stops being your employee?
How long can you keep that data set when the original business purpose (for instance- payroll) is over and what happens when the data retention period expires?
The basic rule is, you can keep the data as long as you can prove that you need it to demonstrate compliance, or as long as particular law requests you to.
GDPR defines this as a storage limitation principle, that requires you to keep personal data as long as the purpose of the processing is not fulfilled.
How can you determine the data retention period?
There are a variety of different laws that will require you to keep data for a certain amount of time, which will vary from country to country- like archiving law.
This means that the data retention period for those data sets is predetermined.
There are also internal procedures and policies that are based on processing personal data and require you to define the data retention period yourself.
When defining the data retention period you will need to know why you are keeping that data and define for how long you will keep them.
For example how long will you keep contacts from your newsletter list or CVs from job applicants?
Storage limitation principle only stipulates that personal data should be kept in a form that permits the identification of individuals for no longer than is necessary. Which leaves you as a creator of your own data retention policies.
This is a real-life example of how a company can define data retention periods for:
Data Removal and Personal Data Lifecycle
Data retention starts when one of the following scenarios happen:
- The initial purpose for data collection and processing has expired- usually, a product or services contract with an individual has expired, an insurance policy has expired or an individual stopped using a product or a service.
- The direct action of the data subject – usually an opt-out, unsubscribe or request for the right to be forgotten.
Additionally, there can be a specified delay for data retention start, e.g. the beginning of the next fiscal year.
The data removal is triggered by the expiry of the data retention period.
When the data retention period expires, any further processing of the data by your organization becomes illegal.
To minimize the risk of non-compliance, your organization must remove personal data from its systems, once the data retention period expires.
Data removal is executed either by deleting the data or, more often, by anonymizing identifiable data.
To schedule data removal in a compliant way, the prerequisite is to keep compliant records of processing activities (ROPA) and to have a 360° view of the data subject’s personal data processing.
Every processing activity needs to have specific information in your ROPA:
However, having ROPA is not enough, especially if you are using Excel – we have discussed this here: EXCEL vs. GDPR software – can you handle GDPR using Excel?
You also need to understand how data flows through the organization’s systems and processes.
This journey is called Personal Data Lifecycle:
Is there a better way to manage data removal?
When an organization is processing a large amount of data across multiple systems, automation is the only way to avoid the possibility of human error and reduce the risk of non-compliance.
Automation minimizes the amount of manual work needed for data deletion or recording every action taken over data.
Data Privacy Manager automatically gives instructions to a different system when data deletion needs to be executed and enables you to define data retention and data removal operationalization on different data categories.
Data Privacy Manager’s automated services answer two key questions: “WHICH data subject’s data needs to be removed?” and “WHEN this data needs be removed”?
Data retention schedule and data destruction schedule are 2 real-time services available for end-to-end automation of personal data removal which represents a GDPR compliant personal data removal engine.
If you would like to read more about Data Removal and Data Retention, download our e-book Solution for GDPR compliant Personal Data Removal: