When personal data is no longer necessary to process, it must be erased. You can’t hold onto data that’s no longer useful, but determining what constitutes deletion, understanding relevant deadlines, and establishing effective procedures for deletion, backups, and more can be challenging.
Let's dive into data retention and deletion policies, providing concrete guidance on creating your own.
How long can personal data be kept?
When dealing with personal data under the GDPR, it's essential to grasp what personal data encompasses and its various types.
The Danish Data Protection Agency defines “personal data” as:
“Any information traceable to a specific individual, even if identification requires combining it with other information.“
Essentially, personal data falls into three categories:
- Standard (non-sensitive) personal data
- Sensitive personal data
- Information about criminal convictions, offenses, or related security measures.
Different rules apply to each category based on how sensitive the data is. Regardless of the type, you must only keep data for:
- As long as you have legal authorization for the storage.
- As long as you have a legitimate purpose for the storage.
If neither of these applies, delete the data.
READ ALSO: Take advantage of GDPR's business benefits
When should personal data be erased?
According to Article 5, Section 1, Letter e of the General Data Protection Regulation (GDPR):
"…personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed."
As a data processor, it is up to the organization to assess when personal data should be deleted, meaning when they no longer serve a legitimate purpose or meet the requirement of legal authorization. Additionally, under Article 5, Section 2, the organization must document that deletions actually take place.
What does it mean to truly erase personal data?
Distinguishing between actual deletion and mere inaccessibility is crucial.
In data processing systems, information is typically stored in a database and accessed through a user interface. True deletion necessitates removing data from the database. If data remains accessible to system administrators, it hasn’t been genuinely erased, violating deletion requirements.
As mentioned, documenting deletions is essential. Without proper records, compliance is impossible.
What is a deletion policy?
Data controllers must ensure that data is deleted according to plan, which is where deletion policies come into play.
A deletion policy outlines guidelines and procedures for handling personal data from collection to deletion. It should specify deletion timelines, methods, and confirmation processes.
Consider these questions when creating your policy:
- How do we find data that’s ready for deletion?
- Who is responsible for deleting data?
- How do we make sure deletions are done right?
- Should deletion be manual or automatic?
- How much of the data needs to be deleted?
The last point—how much of the data should be deleted—is relevant because it is possible to retain data as long as it is no longer personally identifiable.
Follow-up and backups
It is tempting to rely on the system you have developed for data deletion to function as intended and assume personal data is deleted as planned without errors. However, the Danish Data Protection Agency recommends establishing a procedure for follow-up on deletion.
The follow-up could involve reviewing technical logs from deletion operations, automatically extracting data for manual review, etc. It may be advantageous to have a solution for internal controls that ensures the follow-up is carried out correctly and on time, and that the necessary information is documented.
At the same time, it is important to be aware that personal data may be stored in a backup. The purpose of a backup is to restore data if the data in an operational system is lost. As a data controller, you need to address how the data stored in a backup is deleted if the corresponding data is deleted from the operational system.
If technically possible, personal data should be deleted from the backup simultaneously with its deletion from the operational system. If this is not possible, a log of deletions should be kept so that the data can be removed if a backup is restored.
Four tips for developing a deletion policy
Deleting data is a significant part of the GDPR. By using deletion policies and procedures, you ensure that you do not inadvertently store data that should have been deleted.
Below, we have compiled four concrete tips on how your organization can begin working on deletion policies:
- Understand the purpose of retaining specific personal data to establish deletion guidelines.
- Investigate any legal minimum retention periods for particular data types.
- Create clear procedures for data deletion and documentation.
- Incorporate a follow-up process to verify successful and compliant deletions.
READ ALSO: 6 reasons NOT to use Excel to get an overview of GDPR