One of the most discussed topics in conferences and workshops is the proper management of personal data retention periods.
Tha fact that this topic generates such an interest is actually an anomaly.
In fact, the GDPR doesn’t introduce any innovation (except for sanctions) to the current privacy legislation, which rules at article 11 that data must be:
e) kept in a form which allows identification of the data subject for no longer than it is necessary for the purposes for which the data were collected or subsequently processed.
After all, the majority of requirements prescribed by GDPR have been in force for years, but only a few did comply.
Although I already dealt with the topic (The period for which the personal data will be stored), it seems appropriate to resume it in order to provide some indications on how to define an adequate data retention policy.
Determine the retention period
The retention period is connected to the processing purpose, therefore if the same information is processed for different purposes, it’s necessary to set different retention time limits as appropriate for each different purpose.
Some retention time limits are determined on the basis of external elements (such as legislative or contractual obligations…), while others are set by the Controller.
We should also consider the prescription terms within which an external party can take action against the Controller, and the delays between lodging and notifying a judicial document, these delays should be added as a buffer to the basic retention period.
In the event of litigation with clients/suppliers/administrations, a new processing purpose rises and, consequently, the retention periods which depended on the original purposes are overcome and a new distinct retention period must be determined.
Retaining personal data for longer than strictly necessary for the specif purpose can’t be justified by responding to eventual and hypothetical requests form the judicial and other inspection agencies.
We must understand that what determines the retention period is the purpose and not an instrument. For instance, in the case of electronic mail (which is actually an instrument and not a purpose), the retention period isn’t generically determined for all emails, but rather specifically determined for every single group of emails, defined on the basis of the purpose.
Personal data are normally stored on different type of media, in digital form or analogue form, in a structured or unstructured form. They’re kept both at the Controller’s premises and at outsourcer’s and suppliers’. It is essential to adequately and thoroughly map (which may be fairly difficult and unlikely) personal data actually processed and stored on diverse media, in order to grant a proper and consistent retention periods management.
Indeed, it is useless to invest in the proper management of data retention on a specific media and forget that the same data are stored on other media as well.
It is clear that a proper and real retention periods management can’t be effective without a predefined media storage policy.
The very fact that most of the activities to comply with the GDPR are related to mapping processing and data locations points out that Controllers are not actually safeguarding their information assets.
Retention periods can’t be determined regardless of technical considerations, connected to the specificities of each Controller.
The following considerations are valid; at retention period expiration, data must be:
- deleted, if physically possible
- limited as for the use, if the information is used for other purposes which imply longer retention periods and it is stored in a single database or in a single document.
As for the data deletion feasibility, technical problems may occur since such an operation could damage the database integrity or even other databases that use the same data.
Alternatively yo deletion, data anonymisation can be envisaged together with other techniques to make it unavailable to the Controller, although not physically deleting the relative record. This kind of operation might be justified on the bases that otherwise the information system could malfunction and therefore issues with accessing other information may occur.
In addition, actual deletion of single records from backup copies could be unviable, especially when these copies are on tape.
Also in this case, instead of an impracticable deletion, alternative operations can be envisaged, such as access to copies only for emergency or recovery and conservation of media storage with an adequate encryption and severe physical security measures.
Determining a proper data retention policy implies attention to all the above-mentioned issues, also with the aim to correctly reproduce it in the information sheets given to all involved parties.
(translated by Matilde Bobbio)