One of the most discussed topics in conferences and workshops is the proper management of personal data retention periods.
Tha fact that this topic generates such an interest is actually an anomaly.
In fact, the GDPR doesn’t introduce any innovation (except for sanctions) to the current privacy legislation, which rules at article 11 that data must be:
e) kept in a form which allows identification of the data subject for no longer than it is necessary for the purposes for which the data were collected or subsequently processed.
After all, the majority of requirements prescribed by GDPR have been in force for years, but only a few did comply.
Although I already dealt with the topic (The period for which the personal data will be stored), it seems appropriate to resume it in order to provide some indications on how to define an adequate data retention policy.
Determine the retention period
The retention period is connected to the processing purpose, therefore if the same information is processed for different purposes, it’s necessary to set different retention time limits as appropriate for each different purpose.
Some retention time limits are determined on the basis of external elements (such as legislative or contractual obligations…), while others are set by the Controller.
We should also consider the prescription terms within which an external party can take action against the Controller, and the delays between lodging and notifying a judicial document, these delays should be added as a buffer to the basic retention period.
In the event of litigation with clients/suppliers/administrations, a new processing purpose rises and, consequently, the retention periods which depended on the original purposes are overcome and a new distinct retention period must be determined.
Retaining personal data for longer than strictly necessary for the specif purpose can’t be justified by responding to eventual and hypothetical requests form the judicial and other inspection agencies.
We must understand that what determines the retention period is the purpose and not an instrument. For instance, in the case of electronic mail (which is actually an instrument and not a purpose), the retention period isn’t generically determined for all emails, but rather specifically determined for every single group of emails, defined on the basis of the purpose.
Media storage
Personal data are normally stored on different type of media, in digital form or analogue form, in a structured or unstructured form. They’re kept both at the Controller’s premises and at outsourcer’s and suppliers’. It is essential to adequately and thoroughly map (which may be fairly difficult and unlikely) personal data actually processed and stored on diverse media, in order to grant a proper and consistent retention periods management.
Indeed, it is useless to invest in the proper management of data retention on a specific media and forget that the same data are stored on other media as well.
It is clear that a proper and real retention periods management can’t be effective without a predefined media storage policy.
The very fact that most of the activities to comply with the GDPR are related to mapping processing and data locations points out that Controllers are not actually safeguarding their information assets.
Technical aspects
Retention periods can’t be determined regardless of technical considerations, connected to the specificities of each Controller.
The following considerations are valid; at retention period expiration, data must be:
- deleted, if physically possible
- limited as for the use, if the information is used for other purposes which imply longer retention periods and it is stored in a single database or in a single document.
As for the data deletion feasibility, technical problems may occur since such an operation could damage the database integrity or even other databases that use the same data.
Alternatively yo deletion, data anonymisation can be envisaged together with other techniques to make it unavailable to the Controller, although not physically deleting the relative record. This kind of operation might be justified on the bases that otherwise the information system could malfunction and therefore issues with accessing other information may occur.
In addition, actual deletion of single records from backup copies could be unviable, especially when these copies are on tape.
Also in this case, instead of an impracticable deletion, alternative operations can be envisaged, such as access to copies only for emergency or recovery and conservation of media storage with an adequate encryption and severe physical security measures.
Conclusions
Determining a proper data retention policy implies attention to all the above-mentioned issues, also with the aim to correctly reproduce it in the information sheets given to all involved parties.
(translated by Matilde Bobbio)
molto opportuno il richiamo di Butti al tema della data retention. in questo periodo sto raccogliendo centinaia di trattamenti (per inserirli nei registri), e quando si arriva alle domande sui criteri di conservazione, la colonna risulta troppo spesso desolatamente spoglia… sono del tutto d’accordo che non si tratta di una novità assoluta, ma in verità una piccola novità c’è (come segnalato anche nell’ultima riga del post): il gdpr chiede che i criteri di data retention siano indicati in informativa, cosa sinora non richiesta dal codice. il che forse costringerà le aziende a capire che non si può pensare nè “li tengo per sempre” nè “intanto li raccolgo poi definirò quanto tenerli”.
ci tengo inoltre a precisare alcuni dettagli: è vero che per alcuni trattamenti i termini MINIMI di conservazione sono definiti per legge, ma questi non vanno confusi con i termini massimi che il titolare deve definire e che potrebbero essere diversi (se coerenti con la finalità e coperti da opportuna base giuridica, diversa a in tal caso dall’obbligo di legge). in ogni caso anche volendo far coincidere minimi prescritti e massimi, voglio proprio vedere chi si sveglia la mattina e, prima di recarsi al lavoro, va nel magazzino esterno dove si conservano i vecchi contratti cartacei, estrae esattamente quelli scaduti da 10 anni, li distrugge e, solo dopo, si reca in ufficio… concederete che sia assai più probabile che si faccia pulizia una volta l’anno, quindi i termini saranno opportunamente indicati (ad es.) come “10 anni per obblighi di legge e max 1 anno ulteriore in attesa di distruzione periodica”.
inoltre non va dimenticato che i termini di conservazione sono relativi al trattamento, e non al dato, che potrebbe essere legittimamente trattato in azienda per finalità diverse, da reparti diversi e magari con sistemi diversi. questo deve essere ben tenuto presente da quei direttori sistemi troppo zelanti che pensano di rendere un buon servizio all’azienda introducendo ove possibile automatismi di cancellazione talebani allo scadere delle 24.00 del giorno X definito nel registro dei trattamenti, facendoli valere in modo assoluto sul dato a prescindere dai diversi possibili criteri di conservazioni tipici di diverse finalità (e relative basi giuridiche). molto più opportuno, come ricorda anche il post di Butti, ricorrere a tecniche di data masking per consentire la conservazione del dato (se opportuna) ed impedirne l’accesso (dove non più coperto da legittimità).