A better understanding of the Regulation, legal practice and the maturation of the position of the DPO have led to the revelation of new challenges arising.

One of those challenges is data removal.

While Organizations have been busy with collecting consents and putting together compliant Records of processing activities, the data removal remained overlooked, or maybe postponed?

 

It is important to note that data removal is closely tided to your data retention policies.

So let’s start by focusing firstly on data retention.

Data retention and Data removal

 

Your Organization collects data from employees, job applicants, clients, and subcontractors.

As you already know, this personal information is necessary for your Organization to operate its day to day business.

You store employee’s personal data to pay out salaries and so on. But what happens when that person stops being your employee?

 

For how long do you keep that data set when the original business purpose (payroll) is over and what happens when the data retention period expires?

The basic rule is, you can keep the data as long as you can prove that you need it to demonstrate compliance, or as long as particular law requests you to.

 

What does that mean?

There are a variety of different laws that will demand you to keep data for a certain amount of time.

This will vary from country to country. Archiving law is a great example of that type of law.

Let’s see this in a real-life example. This is how one company has defined data retention periods for:

 

example of data retention policy

 

In order for you to define the data retention period, you will need to know why you are keeping that data.

Note that the purpose is the most important thing when defining a data retention period.

When you defined data retention policies for every data set you are collecting, when the time comes or upon individual request, you will have to adequately remove it or anonymize it.

 

If you want to read more, download our e-book Solution for GDPR Compliant Personal Data Removal.

Data Removal and Personal Data Lifecycle

Most of the Organizations by now have documented data retention policies and have a good idea on how long they can keep the data.

Data retention starts when one of the following scenarios happen:

 

1. The initial purpose for data collection and processing has expired. Usually, a product or services contract with an individual has expired, an insurance policy has expired or an individual stopped using a product or a service.

2. The direct action of the Data Subject, usually an opt-out, unsubscribe or request for the right to be forgotten.

 

Additionally, there can be a specified delay for data retention start, e.g. the beginning of the next fiscal year.

The data removal is triggered by the expiry of the data retention period.

When the data retention period expires, any further processing of the data by your Organization becomes illegal.

 

To minimize the risk of non-compliance, your Organization must remove personal data from its systems, once the data retention period expires.

Data removal is executed either by deleting the data or, more often, by anonymizing identifiable data.

 

To schedule data removal in a compliant way, the prerequisite is to keep a compliant Records of processing activities (ROPA) and to have a 360° view of Data Subject’s personal data processing.

 

Every processing activity needs to have this information in your ROPA:

data retention

 

However, having ROPA (especially in Excel) is not enough. You also need to understand how data lives and flows through the Organization’s systems and processes.

This journey is called Personal Data Lifecycle

 

 

If you are just warming up and would like to read more about Data Removal and Data Retention, download our e-book  Solution for GDPR compliant Personal Data Removal:

Solution for GDPR Compliant Data Removal