General Data Protection Regulation (GDPR) goes into effect. The GDPR harmonizes data protection and reshapes the way businesses approach data privacy. To achieve this goal, the GDPR holds businesses accountable for how they manage personal data in a digital world. In preparation, many are evaluating current practices and planning to bring their programs into compliance to avoid strict fines and penalties. However, there are challenges aligning current practices with the Data Protection Principles set out in the GDPR.
For our purposes, we’ll address the principle of “data retention periods,” which requires businesses to retain personal data only as long as necessary to achieve the purpose for which it was collected. This creates tension with the competing interests of records retention programs—where legal requirements generally set the floor—with the operational needs of the business. These operational needs often eclipse retention periods with deletion practices mandated by data protection laws that set a ceiling for retaining personal data. Accordingly, it is imperative to consider both and then effectively communicate clear guidance to employees to avoid unnecessary risk and exposure.
The main policy document for managing the lifecycle of records is the retention schedule, which identifies a period before a record is subject to disposal. Recent trends call for a “functional” schedule, whereby records with a similar purpose are grouped together and assigned a retention period. A subset of records (e.g., rejected job applications) or personal data within those functional groups are subject to mandated deletion practices. Consequently, unless specifically called out, end users that abide by the retention schedule may retain personal data for longer than permitted, which exposes the corporation to liability in the form of penalties, fines, and legal action.
To avoid this liability, we recommend the following actions:
- Effectively Communicate. Because the retention schedule is the primary document referenced for record retention, incorporate personal data restrictions in the published schedule. To do this, identify records and personal data subject to legal requirements, such as the GDPR and jurisdiction-specific restrictions, and offer a separate retention period for impacted records. Alternatively, citations specific to personal data restriction and the records impacted by them can be addressed in a separate document. This is attractive, as data protection restrictions often contain information that relate to the management of personal data and records that aren’t in the scope of a retention schedule e.g., exceptions to deletion or continued retention. However, for this approach to be effective, you must take steps to ensure there is continuity between the retention schedule and the separate data protection document.
- Identify and Train. Whether the restrictions are incorporated into the retention schedule or in a separate data protection document, train employees to read and interpret the subject documentation, as well as appropriate actions to execute their responsibilities.
- Understand Data Flow. You must understand how data flows and where information is ultimately stored, with a focus on personal data. This provides insight into the applications and systems through which personal data travels, as well as access points. Accordingly, understanding the data flow may identify a subset of employees that have access to the personal data or records that require more detailed processes, training, and communications.
- Augment Metadata. You may need to enhance information stores with additional metadata fields to capture personal data restrictions at the record level to help identify records so you don’t retain them longer than the law allows. For example, you may need to add a ‘PII’ flag to make queries for PII data within your repositories easier to obtain.
The GDPR and its impending effective date brings new awareness and urgency to businesses to assess current practices. However, these restrictions account for only part of the laws that currently exist from jurisdictions in and outside of the European Union. To avoid confusion amongst the workforce, restrictions on retaining personal data must be carefully vetted against current retention practices and associated documentation. You can identify and align the competing interests where they intersect by implementing sound strategies, some of which are noted above. Failure to proactively take these steps will lead to out-of-compliance-programs subject to severe sanctions.