Did you know that about a third of the data you store is likely redundant, obsolete, or trivial? Right now, your computers may be holding PII of former employees and customers, along with confidential financial records.
Personal data can be compromised by unauthorized access and disclosure. Therefore, keeping it beyond its useful life represents a huge security risk.
Developing a data retention policy is crucial in order to protect the data of your organization and ensure compliance with the GDPR.
What are the requirements for data retention under the GDPR?
Data retention periods should be set based on the following GDPR principles and rights:
This principle states that the collection and processing of personal data must be limited to what is strictly necessary to accomplish specified and legitimate purposes. After all, the less data you have, the less you have to worry about.
This principle states that personal data should not be stored longer than is necessary for the agreed purposes. On top of that, companies must be able to justify data retention periods.
The right to erasure
To increase data subjects’ control over their personal information, the GDPR regulated the “right to erasure”.
The right to erasure, previously known as the right to be forgotten, allows people to request the deletion of the data collected on them. However, the data deletion request must be weighted against business needs and duties such as:
Legal obligations of retaining records for a specified period of time
The possible need for information in the event of future legal claims
Essentially, companies need to find a compromise between a person’s right to have their data erased and legal requirements for records retention.
What is a data retention policy?
A data retention policy is a set of guidelines that outlines the type of data collected, its purpose, and how long it will be stored. On top of that, it can also contain the deletion method that is supposed to be used. A good data retention and disposal policy ensures all essential data is stored in compliance with legal requirements and regulations.
What are the benefits of a data retention policy?
There are many benefits associated with having a data retention policy. Some of the most important are:
Reduced exposure in case of a data breach
In today's digital world, every business is a potential target for cyber crime. Hackers will spare no effort to get their hands on valuable personal data and exploit it for financial gain.
Cyber crime is a serious threat for businesses of all sizes. There are more and more examples of large companies falling victim to some sort of cyber attack. In October 2013, software company Adobe suffered one of the biggest data breaches of the 21st century. Over 150 million user records were stolen and Adobe had to pay a $1 million settlement to 15 states for the data breach.
This shows cyber crime is a serious threat and can cause significant financial loss. On top of that, data breaches can seriously damage a company’s reputation and disrupt business processes.
A strong data retention policy is a great defense against cyber crime. By deleting unnecessary data, you significantly reduce the potential damage that could be caused by a hacker.
Storage optimization and reduced costs
A major challenge for businesses that store large amounts of data is cost. Ongoing server maintenance and time spent on managing and securing documents are costly and time-consuming activities.
By deleting the data they no longer need, businesses can optimize file storage and significantly reduce costs. On top of that, data retention policies organize files to make them easily findable and accessible at all times.
Compliance with data retention laws and regulations
Improper data retention can result in hefty fines. Deleting records that you are legally required to keep for a certain amount of time can get your company in trouble. This has led to many employees keeping data just to be on the safe side. On the other hand, storing data for longer than necessary violates the GDPR’s requirements regarding data retention.
A data retention policy can help your company avoid penalties by clearly outlining how long each type of document needs to be stored according to relevant laws and regulations. No more second-guessing - employees will know exactly when they need to delete the data.
What are the different data deletion methods?
The GDPR does not specify the erasure method that should be used. However, it is safe to assume a secure deletion solution is required to make sure the deleted data can’t be recovered.
When it comes to data erasure, businesses have several methods to choose from:
Delete or reformat
Deletion means simply deleting a file from your device and emptying the recycle bin. However, this method does not immediately erase the data and allows it to be easily recovered from the hard drive.
Formatting the hard drive is a bit more secure than simply deleting the data. Even so, a computer expert would still be able to retrieve the erased files.
While reformatting is reasonably safe to use for low-risk data, critical documents will require a more secure deletion mechanism.
This method “erases” the data by encrypting it and then deleting the encryption keys. However, the security of crypto-shredding depends on the strength of the encryption method that is used. Hence, you need to make sure the encryption is very difficult to break.
This method permanently erases data by altering the magnetic field of the hard drive. Degaussing ensures that all data has been completely and permanently erased.
This method involves physically destroying the media on which data is stored. A wide range of storage devices can be shredded into tiny pieces using a heavy-duty shredding machine.
Destruction is only secure if the hard drive is properly destroyed.
There are many expert companies out there that can help you with data erasure and provide data erasure certificates. This way, even if the data is somehow recovered, you are not liable for the damages.
Most SMEs won’t need to take such radical measures to erase their data. However, it’s good to know about them just in case you ever need them.
The threat of fines for those who don’t comply is high. Therefore, companies need to implement secure data erasure practices to make sure deleted records can’t be recovered.
What are the best practices for data retention?
Identify and group the data your company holds into categories
Define data retention schedules for each category based on legal requirements
Inform data subjects about how long their information will be stored, how consent can be withdrawn, what rights they can exercise, and how
Keep the personal data for only as long as necessary:
- employee data is only needed for the duration of the employment relationship
- customer data should not be kept beyond the term of the business relationship (unless otherwise required by law)
Keep a record of the retention periods and their purpose
When data is no longer necessary, make sure to delete every single piece of information relating to a person – in every folder, register, database, mailing list, and backup server
If the data is stored on cloud-based applications, companies usually have to rely on the provider to carry out the erasure. Therefore, it is crucial to choose compliant service providers when subcontracting the processing of personal data.
What is Penneo’s data retention policy?
When a customer requests Penneo to delete their data, the record will be flagged for deletion in the database. Data flagged for deletion will be permanently deleted within 60 days of being flagged. To ensure a high level of security, the permanent deletion of documents can only be carried by at least two Penneo employees together.
If you want to request the erasure of your data, all you have to do is submit a request on our website. Our support team will acquire the necessary information and our DPO will proceed as requested. The request is usually fulfilled within a week.
In addition, Penneo provides automatic data deletion. Simply select:
when do you want to move the data to the recycle bin (default is 30 days after completion)
when should the items in the recycle bin be automatically deleted (default is 30 days after completion)
Our data retention policy also states:
Upon the expiry of the data retention period (depends on the subscription plan), Penneo keeps all the customer’s data for an additional period of 90 days
During the 90-days period, the customer has the right to request the deletion of the data
Penneo customers can obtain an audit opinion to check if the personal data has indeed been deleted from Penneo’s system
Penneo stores data until the customer deletes the data and/or requests Penneo to delete it. Data retention is included in the subscription price for the Penneo platform for 5 years