Organization may store personal data only when there is a legitimate reason for data retention. Retaining redundant or unnecessary data exposes the organization to security threats. Anyone can be breached or hacked.
GDPR emphasizes data minimization, both in terms of the amount of data stored and the duration of their storage. Summarizing the legal requirements, Art. 5 GDPR states that data retention may not take longer than it is necessary for the purposes for which they are processed. The retention period of personal data should be limited to a strict minimum. Therefore, organizations must ensure that personal data is safely deleted when it is no longer needed.
A checklist for minimizing data processing (source ICO):
We only collect personal data that we actually need for specific purposes.
We have enough personal data to pursue these purposes properly.
We periodically review the data we hold and delete anything we do not need.
Make sure your organization is transparent about data retention. You must ensure that all personal data records, including copies or duplicates, are always properly managed. Given that different data types will have different retention periods, it is imperative to continuously monitor the legal grounds and the associated data retention schedule. After the retention period has expired, it is important that the data is archived or deleted as scheduled.
After the relevant data retention period has expired, the data does not need to be completely erased. In certain circumstances, it may be sufficient to anonymize the data, for example, by removing unique identifiers or deleting individual information that identifies people specifically. For this purpose, youcan use our SensID Mask product.
With regard to data retention, special attention should be given to “special categories of data”. According to the GDPR, this includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic data, biometric data, health data or data concerning a person’s sex life or sexual orientation. If such personal data is collected or received and stored, you should ensure that it is only processed in accordance with the requirements of the GDPR.
Automation of data retention process
Data deletion control
Ensuring that personal data or documents have been completely removed from all data sources.
Implementation of an end-to-end process
Possible as well for IT systems that do not support in-house data retention function.
A comprehensive approach
Support for both database sources, network resources and mailboxes.
Removal / de-identification
Performed using Robotization (RPA) or API data source.
