GDPR Compliant Data Removal

A better understanding of the Regulation, existing legal practice and the maturity of the DPO position have led to the revelation of new challenges arising.

One of those challenges is data removal.

While Organizations have been busy with collecting consents and putting together compliant Records of processing activities, the data removal remained overlooked, or maybe postponed?

It is important to note that data removal is closely tied to your data retention policies.

So let’s start by focusing firstly on data retention.

Data retention and Data removal

Your organization collects data from employees, job applicants, clients, and subcontractors.

As you already know, this personal information is necessary for your organization to operate its day to day business. You store employee’s personal data to pay out salaries and so on.

Furthermore, what happens when a person stops being your employee? Read more about processing employees’ personal data.

For how long do you keep that data set when the original business purpose (for instance- payroll) is over and what happens when the data retention period expires?

The organization is also accountable to collect personal data and manage it in a GDPR compliant way, meaning if you no longer need data you should delete it.

The basic rule is, you can keep the data as long as you can prove that you need it to demonstrate compliance, or as long as particular law requests you to.

This is a storage limitation principle, and we have talked about it more in our blog:

Storage limitation principle -How long should you keep personal data?

What does that mean?

There are a variety of different laws that will demand you to keep data for a certain amount of time.

This will vary from country to country. Archiving law is a great example of that type of law.

This is a real-life example of how a company can define data retention periods for:

Example of data retention policiesIn order for you to define the data retention period, you will need to know why you are keeping that data.

Note that the purpose is the most important thing when defining a data retention period. 

When you define data retention policies for every data set you are collecting, when the time comes or upon individual request, you will have to adequately remove it or anonymize it.

If you want to read more, download our e-book Solution for GDPR Compliant Personal Data Removal.

Data Removal and Personal Data Lifecycle

Most of the Organizations by now have documented data retention policies and have a good idea on how long they can keep the data.

Data retention starts when one of the following scenarios happen:

1. The initial purpose for data collection and processing has expired. Usually, a product or services contract with an individual has expired, an insurance policy has expired or an individual stopped using a product or a service.

2. The direct action of the Data Subject, usually an opt-out, unsubscribe or request for the right to be forgotten.

Additionally, there can be a specified delay for data retention start, e.g. the beginning of the next fiscal year.

The data removal is triggered by the expiry of the data retention period.

When the data retention period expires, any further processing of the data by your Organization becomes illegal.

To minimize the risk of non-compliance, your Organization must remove personal data from its systems, once the data retention period expires.

Data removal is executed either by deleting the data or, more often, by anonymizing identifiable data.

To schedule data removal in a compliant way, the prerequisite is to keep a compliant Records of processing activities (ROPA) and to have a 360° view of Data Subject’s personal data processing.

Every processing activity needs to have this information in your ROPA:

However, having ROPA (especially in Excel) is not enough. You also need to understand how data lives and flows through the Organization’s systems and processes.

This journey is called Personal Data Lifecycle:

If you would like to read more about Data Removal and Data Retention, download our e-book  Solution for GDPR compliant Personal Data Removal:

Download e-book: GDPR compliant personal data removal