Data should not be held for longer than is needed and shouldn’t be kept ‘just in case’ you have a need for it in the future. If you keep sensitive data for too long – even if it’s being held securely and not being misused – you may still be violating the GDPR’s requirements.
That might sound overly strict, but there’s a good reason for it. In this blog, we explain why that’s the case and how to overcome data retention limitations whilst still preserving data intelligence in line with the GDPR’s requirements.
How long can personal data be stored?
Despite the apparent strictness of the GDPR’s data retention periods, there are no rules on storage limitation.
Organisations can set their own deadlines based on whatever grounds they see fit, however the organisation must document and justify why it has set the timeframe it has.
The decision should be based on two key factors: the purpose for processing the data, and any regulatory or legal requirements for retaining it.
As long as one of your purposes still applies, you can continue to store the data.
You should also consider your legal and regulatory requirements to retain data. For example, when the data is subject to tax and audits, or to comply with defined standards, there will be data retention guidelines you must follow.
You can plan how your data will be used and if it will be needed for future use by creating a data flow map. This process is also helpful when it comes to locating data and removing it once your retention period expires.
Data Minimisation Principles under GDPR
Article 5(1)(c) of the GDPR says “Personal data shall be: adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
Ideally, this means that organisations identify the minimum amount of personal data needed to fill the purpose for which the data was collected. Deciding what is “adequate, relevant and limited” can prove a challenge for organisations as these terms are not defined by the GDPR. To assess whether you are holding the right amount of data, first, be clear about why the data is needed and what type of data is collected. For special categories or criminal offence data, the concerns are further heightened.
Collecting personal data on the off-chance that it might be useful in the future would not conform to the principle of data minimisation. Organisations should periodically review their processing activities to make sure personal data remains relevant, accurate, and adequate for your purposes deleting anything that is no longer needed.
For this reason, data minimisation is closely linked to the storage limitation principle.
Retention limitations as laid out by GDPR
Article 5(1)(e) of the GDPR says: “Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.”
What this article says is that, even if an organisation collects and uses personal data lawfully, they cannot keep it indefinitely. The GDPR does not specify time limits for the data. This is up to the organisation. Complying with the principles of storage limitation ensures that data is erased, anonymised, or synthesised to reduce the risk that the data becomes irrelevant and excessive or inaccurate and out of data. From a practical perspective it is inefficient to hold more personal data than you need with unnecessary costs related to storage and security. Keeping in mind that organisations must respond to data subject access requests, this becomes more difficult the more data an organisation has to sift through. Holding excessive amounts of data also increases the risk associated with a data breach.
Maintaining retention schedules list the types of information you hold, what you use it for, and when it must be deleted. To comply with documentation requirements, organisations must establish and document standard retention periods for different categories of information. It is advisable for organisations to ensure they are complying with these retention periods and review retention at appropriate intervals.
Retaining the value of data
“Data is the new oil of the digital economy”. Yes, this may be an overhyped statement, but most will agree that data is valuable and essential for organisations to realize innovation, it allows organisations to spot valuable patterns, trends and relationship over time to support the organisation with actionable insights.
However, the data minimization principle and (specific) legal data retention periods require organisations to destroy data after a certain time period. Consequently, those organisations have to destroy their foundation for the realization of data-driven innovation: data. Without data and a rich database of historical data, the realization of data-driven innovation will become challenging. Hence, this introduces a situation where organisations cannot spot valuable patterns, trends and relationship over time to support the organisation with actionable insights.
So, how do you overcome these challenges while preserving data intelligence?
You can work-around data retention deadlines by creating synthetic data or by anonymising data; this means that the information cannot be connected to an identifiable data subject. If your data is anonymised, the GDPR allows you to keep it for as long as you want.
You should be careful when doing this, however. If the information can be used alongside other information the organisation holds to identify an individual, then it is not adequately anonymised.
What to do with data past the retention period
You have three options when the deadline for data retention expires: you could delete, anonymise, or create synthetic data.
If you opt to delete the data, you must ensure all copies have been discarded. To do this, you will need to find out where the data is stored. Is it a digital file, hard copy or both?
It’s easy to erase hard copy data, but digital data often leaves a trace and copies may reside in forgotten file servers and databases. To comply with the GDPR, you will need to put the data ‘beyond use’. All copies of the data should be removed from live and back-up systems.
Conforming to the principle of data minimisation to limit the use of personal data to what is strictly necessary, your organisation indicated a retention limitation. When that moment arrives, it is time to delete your data. But wait! Your data is your gold. Do not throw away your gold!
How do you anonymise the data?
You can anonymise the data by turning it into Synthetic Data to continue to draw value and preserve data intelligence.
How is Synthetic Data created?
New and inventive techniques have been developed to generate synthetic data. This strategy allows your organisation to derive value from its data even after it has deleted the personal information. With this new Synthetic Data solution like Syntho, you generate a Synthetic Dataset based on the original dataset in Syntho. After generating the Synthetic Dataset, you can delete the original dataset in Privacy Hub and continue performing analysis on the Synthetic Dataset, retaining the data intelligence without the personal data. Pretty cool.
Organisations are now able to preserve data over time in synthetic form. Where they originally were limited in the realization of data-driven innovation, they will now have a strong foundation to realize data driven innovation (over time). This allows those organisations to spot valuable patterns, trends and relationship over time based on (partly) synthetic data, so that they can support the organisation with actionable insights.
Want more? Watch this webinar on how to overcome data retention limitations and preserve data intelligence.