GDPR Compliant Data Removal

The operationalization of data removal is one of the most pressing DPO challenges today and for a reason. In order to conduct GDPR compliant data removal, the Data Protection Officer (DPO) needs to know where the data is stored and have a real insight into the technical and business implication of data removal.

While organizations have been busy collecting consents and putting together compliant records of processing activities, data removal remained overlooked or postponed.

It is important to note that data removal is closely tied to your data retention policies. So let’s start by focusing firstly on data retention

Data retention and Data removal

Data retention refers to keeping or storing personal data for different purposes such as everyday business operation, demonstrating compliance with the supervisory authority, or complying with a particular law.

Your organization collects data from employees, job applicants, clients, and subcontractors.

However, what happens when a person stops being your employee? For how long do you keep that data set when the original business purpose (for instance- payroll) is over and what happens when the data retention period expires?

The basic rule is, you can keep the data as long as you can prove that you need it to demonstrate compliance, or as long as particular law requests you to.

This is a storage limitation principle, and we have talked about it more in our blog: Storage limitation principle -How long should you keep personal data?

What does that mean?

There are a variety of different laws that will require you to keep data for a certain amount of time, which will vary from country to country- like archiving law. This means that data retention period for those data sets is predetermined.

There are also internal procedures and policies that are based on processing personal data and require you to define the data retention period yourself.

When defining the data retention period you will need to know why you are keeping that data and define for how long will you keep them. For example how long will you keep contacts from your newsletter list or CVs from job applicants?

Storage limitation principle only stipulates that personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Which leaves you as a creator of your own data retention policies.

This is a real-life example of how a company can define data retention periods for:

Example of data retention policies

If you want to read more, download our e-book Solution for GDPR Compliant Personal Data Removal.

Data Removal and Personal Data Lifecycle

Data retention starts when one of the following scenarios happen:

1. The initial purpose for data collection and processing has expired. Usually, a product or services contract with an individual has expired, an insurance policy has expired or an individual stopped using a product or a service.

2. The direct action of the data subject – usually an opt-out, unsubscribe or request for the right to be forgotten.

Additionally, there can be a specified delay for data retention start, e.g. the beginning of the next fiscal year.

The data removal is triggered by the expiry of the data retention period.

When the data retention period expires, any further processing of the data by your organization becomes illegal. To minimize the risk of non-compliance, your organization must remove personal data from its systems, once the data retention period expires.

Data removal is executed either by deleting the data or, more often, by anonymizing identifiable data.

To schedule data removal in a compliant way, the prerequisite is to keep compliant records of processing activities (ROPA) and to have a 360° view of the data subject’s personal data processing.

Every processing activity needs to have specific information in your ROPA:

However, having ROPA is not enough, especially if you are using Excel – we have discussed this here: EXCEL vs. GDPR software – can you handle GDPR using Excel? You also need to understand how data flows through the organization’s systems and processes.

This journey is called Personal Data Lifecycle:

Is there a better way to manage data removal?

When an organization is processing a large amount of data across multiple systems, automation is the only way to avoid the possibility of human error and reduce the risk of non-compliance. Automation minimizes the amount of manual work needed for data deletion or recording every action taken over data.

Data Privacy Manager automatically gives instructions to a different system when data deletion needs to be executed and enables you to define data retention and data removal operationalization on different data categories.

Data Privacy Manager’s automated services answer two key questions: “WHICH data subject’s data needs to be removed?” and “WHEN this data needs be removed”?

Data retention schedule and data destruction schedule are 2 real-time services available for end-to-end automation of personal data removal which represents a GDPR compliant personal data removal engine.

If you would like to read more about Data Removal and Data Retention, download our e-book  Solution for GDPR compliant Personal Data Removal:

Download e-book: GDPR compliant personal data removal