Remember to forget: Mastering data retention & deletion

As a data protection pro, you’re no stranger to the tightrope act of managing personal data. One crucial aspect of the job is ensuring that the organisation "remembers to forget" by managing data retention and deletion effectively. 

So, how about we embark on a journey to revitalise or even elevate your data retention and deletion game? 

Retention vs. deletion: the eternal data dance

Striking the perfect balance between these two elements is essential for maintaining privacy compliance while actively encouraging your organisation's operational efficiency. To start with, let’s explore the definitions of data retention and deletion, as well as the art of finding the right note between retaining too much data and purging too little.

Data retention is the practice of preserving personal data for a specified period based on the legal basis of processing, operational needs, and regulatory requirements. Retention periods can vary depending on factors such as industry, data type, and jurisdiction.

Data deletion refers to the secure and permanent removal of personal data from your organisation's systems and storage devices. This process should take place when the retention period expires or when a data subject exercises their right to be forgotten under the GDPR.

How much data is too much data?

Retaining excessive amounts of data not only poses a risk of non-compliance but also increases the likelihood of data breaches and the associated consequences. Over-retention can burden your organisation's storage resources, reduce operational efficiency, and make it challenging to locate relevant information when needed.

To prevent data hoarding, consider the following:

1. Establish clear retention periods for each data category, based on legal requirements and operational needs.
2. Regularly review and update your data retention policies to reflect changes in regulations, business practices, and technology.
3. Advocate for a robust data archiving strategy to securely store data that must be retained for legal or historical reasons but is not actively used.

Finding the sweet spot: how little data is too little data?

On the other hand, deleting data prematurely can lead to the loss of valuable information and hinder your organisation's ability to meet regulatory or legal obligations. To avoid deleting data too soon — thus risking to retain insufficient data — consider adopting the following practices:

1. Ensure that retention periods are based on a solid legal basis and accurately reflect the data's importance and sensitivity.
2. Develop a clear and standardised deletion process, including criteria for determining when data should be deleted and methods for securely erasing it.
3. Schedule regular data audits to verify that deletion procedures are followed correctly and that data is not removed before the end of its retention period.

The value of data minimisation

Data minimisation is the practice of limiting the collection and processing of personal data to the minimum necessary for a specific purpose. By adopting data minimisation principles, organisations can reduce the risk of data breaches, lower their storage costs, and simplify compliance with GDPR requirements. In a nutshell: 

• Retain too much — Increased security risks and GDPR troubles.
• Delete too much — Impaired business operations and compliance challenges.

7 practical tips for an effective data retention & deletion strategy

A strong data retention and deletion strategy is vital to maintaining GDPR compliance and ensuring the optimal use of your organisation's resources. And it all starts with the ROPA:

Make sure your ROPA tracks all personal data 

A solid ROPA should be the foundation of your privacy management program and offer a comprehensive inventory of all personal data processing activities within and outside of your organisation. It should include information on the purposes of processing, the legal basis for each activity, and the categories of data subjects and personal data involved. 

🔗 If you are interested in exploring the topic further, here are 4 tips for getting the most out of your ROPA.

Clearly classify all personal data

Categorising your data based on its sensitivity, importance, and retention requirements will help streamline your retention and deletion strategy. Data classification can also aid in identifying the appropriate security measures to protect different types of data and ensure that data is deleted in accordance with its assigned retention period.

Establish solid data retention policies

Provide clear guidelines on the retention periods for each category of personal data, the legal basis for retention, and the procedures for archiving and deleting data. Make sure your policies are easily accessible and comprehensible for all employees within your organisation. 

⚠️ Data retention policies do not have to be publicly accessible, but it's good practice to provide a clear and concise summary of your data retention practices within your organisation's privacy policy. 

Work closely with InfoSec

Collaborate with your InfoSec team to correlate your ROPA with their data-supporting assets register, which lists all physical and digital assets that store, process, or transmit personal data. This integration will help ensure that data retention and deletion procedures are consistently applied across all assets and that data is effectively protected. 

🔗 We’ve actually given this a fair amount of thought: Privacy management & information security - Two sides of the data protection coin.

Limit data processing

By limiting the amount of personal data you collect, process, and store to what is strictly necessary for your intended purpose, you reduce the risk of data breaches and improve overall data management efficiency.

To effectively limit data processing you should also consider limiting data access. Implement access controls to ensure that only authorised personnel can access personal data based on their job responsibilities. 

Carry out routine check-ups and updates

Make it a habit to conduct regular audits that evaluate how well your data retention and deletion strategy is working. This will help you spot any gaps or potential improvements and ensure that data retention and deletion are in line with your set policies. Don't forget to frequently revisit your strategy to keep up with any changes in regulations, technology, or business processes.

Never neglect training and awareness

Promote a culture of data protection within your organisation by providing ongoing training and awareness programs, including data retention and deletion best practices. Ensure that all your colleagues, from entry-level pros to senior management, understand their responsibilities and the importance of adhering to your organisation's data retention and deletion policies. 

🔗 If you’re worried that your training sessions could turn into a snooze fest, check out this article: Privacy training that sticks | Overcoming 10 common excuses.

Final thoughts

Mastering the art of letting go is an essential aspect of GDPR compliance. By ensuring your ROPA is accurate and up-to-date, creating a solid data retention and deletion policy, collaborating with your InfoSec team, practising data minimisation, and leveraging software technologies, you can effectively safeguard personal data and meet the expectations of both regulators and data subjects. 

And, of course, remember to stay informed about emerging technologies and best practices in data protection to ensure that your organisation remains compliant and at the forefront of data privacy.

___
Did you find this article helpful? Stay tuned for more by 📌 following our Social Media pages and/or 👉 subscribing to our weekly newsletter. We'll keep you up to date on topics such as Privacy Management, Information Security, and GDPR compliance.