Data retention is not optional. It’s mandatory. Under the fifth data protection principle of the GDPR, personal data cannot be kept for longer than needed. However, there is no specific time limit stated. How long data is retained for will depend on the purpose for holding the data.
This has caused issues for organisations trying to understand, not only what data they have or what retention policies should apply to specific personal data, but how to operationalise data retention and put it to practice.
Significant fines are being given to organisations who do not comply to retention regulations, including:
- May 2019 - The French Data Protection Authority (CNIL) issued a €400,000 fine for a lack of basic security measures and excessive data storage – SERGIC had stored documentation provided by candidates for longer than necessary.
- October 2019 - The supervisory authority of Berlin issued a €14.5 million fine against the real estate company Deutsche Wohnen SE for storing personal data of tenants without a legal basis and for not implementing the GDPR principle of privacy by design. It is the highest GDPR fine imposed so far in Germany.
- December 2019 – The ICO issued a fine of £275,000 to Doorstop Dispensaree for failing to state a retention period for personal data, or the criteria for determining the retention period contrary to Article 13 (2)(a) and 14 (2) (a), while insecurely storing 500,000 paper documents containing personal identifiable information (PII) in file cabinets.
Data lives across all areas of all different departments: legal, IT, marketing, service, sales—everywhere. Often, it lives in places that some employees might not even be aware of, thanks to an undocumented “tribal” knowledge owned by long-tenured employees. And according to Exterro’s 2019 In-House Benchmarking Report, if there is an inventory of the data, it’s likely on a spreadsheet rather than a software platform. This may be the norm for now, but it will be extraordinarily difficult for organisations and businesses to maintain compliance going forward if that remains the status quo. A unified platform is needed.
As data privacy, e-discovery, and information governance become increasingly interrelated, the foundation of these drivers—the data inventory—becomes more valuable and important. To make a data inventory actionable, you need the ability to actually connect to the data and to understand the data.
Here lies the difficulty in operationalising data retention. Logically, the first step to protecting, preserving or eliminating data is to know what you have, where you have it, why you have it, what regulations govern it, and with whom you share it. Without this foundation, you have limited chances of success in achieving any of your governance, risk and compliance duties, let alone fulfilling your data retention objectives.
Organisations must keep a system in place to enforce their document retention policies, and regularly review the retention of documents at appropriate periods, in order to allow for early deletion if it is no longer necessary to retain the data.
In order to build compliance from the ground up and future proof your organisation, a robust data inventory needs to be established, one that works in concert with data retention and other processes like Data Subject Access Requests (DSARs) and Legal Hold (Data Preservation). By doing so, you’ll be way ahead of the curve in mitigating privacy risks and maintaining regulatory compliance.