There is increasing focus on the protection of personal identity information around the world. Over the past two decades, we have seen increasing regulations such as US HIPAA, US GLBA, Canada’s PIPEDA, the EU Data Protection Directive 95/46/EC and others around the world. The latest, most comprehensive, and the one that is the front and center of concern to organizations globally is the EU General Data Protection Regulation 2016/679 (GDPR), which replaces the former directive. While this is an EU regulation, it has a global impact. All organizations – wherever they are in the world – that own or process the personally identifiable information (PII) of EU data subjects must comply with the regulation. It is extra-territorial which means it applies everywhere in the world (so long as an EU data subject PII is involved).
Full compliance for organizations starts May 25, 2018, and applies to any organization that stores, processes or transfers the personal data of EU data subjects. It does not matter if the organization resides in the EU. Fines can be stiff, going as high as €20 million or 4% of global revenues of an organization, whichever is greater.
The regulation defines personal data as, “Personal data is any information related to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer’s IP address.”
To be compliant and mitigate the risk of data protection incidents, organizations need to address a range of requirements, such as:
- Establish a data processing officer
- Define and communicate policies and procedures with training
- Document data flows and processes
- Conduct data privacy impact assessments
- Implement, monitor and assess controls
- Prepare for incident response with 72-hour breach notification
- Integrate data privacy by design into business processes
- Ensure third parties are compliant
A critical component across these requirements is the requirements in Article 30 of the GDPR on the controls and responsibilities in keeping records of data processing and the disciplined destruction of personal data that is no longer in use. This requires that organizations have defined data mapping, inventory and controls in data processing to ensure the appropriate disposition of data throughout its lifecycle.
Data retention and destruction under GDPR, and other regulations, require that personal data is only retained for as long as it is minimally necessary. Organizations are to only keep personal data for the time period it is necessary to fulfill the reason for why it is collected and not any longer.
While that seems straightforward, doing this is not easy for organizations. As information use is so pervasive across the organization, it becomes difficult to delete personal data. It goes against natural inclination to save data and leverage it for uses beyond the reason it was initially collected, which is a serious compliance breach of privacy laws.
One alternative that allows for compliance is the ongoing storage of data if it is obscured and anonymized to a point that it no longer identifies the data subject.
To comply with the law, it requires organizations to define and adhere to data retention and destruction policies that clearly define the use and disposition of personal data throughout its lifecycle. This means that organizations need to ensure that personal data is properly monitored in structured and unstructured data and that destruction of this data, or obscuration, is done at the appropriate time. This is governed by purpose for which the data was originally collected. Once that purpose has been fulfilled, the data must be destroyed.
Addressing these requirements starts with reviewing and updating the organization’s data retention and destruction policies. This is followed by understanding the collection and use of personal data throughout the organization, which is done in the data process mapping requirements of GDPR. From this point, organizations need to ensure processes and controls are in place to guarantee the appropriate use, storage and disposition of this data in adherence to the policies and the law. Additionally, these retention and disposition requirements cross business boundaries and apply to information that is used and shared with third party relationships of the organizations (e.g., vendors, outsourcers, service providers, consultants, contractors, temporary workers).
These are just some of the many reasons why it is a good idea to manage your privacy program and retention programs in an integrated and collaborative manner.