We’ve all met a hoarder in our time, someone that lives amongst the clutter and appears to keep hold of things that no longer have a use. They just can’t bear to say goodbye.
Now, most of us may think that hoarding is harmless, if they’re happy then leave them be, which can be the case for tsunamis of Tupperware or endless stacks of newspapers. But since the introduction of the GDPR, the storage limitation principle means that data hoarding, or more specifically, keeping data for longer than needed, is illegal.
Why limit the amount of data an organisation can hold?
There are a number of reasons why the storage limitation principle was included in the GDPR. Firstly, data gets old, and when it gets old it often becomes irrelevant or out of date. Inaccurate data is useless so why keep it? Secondly, the more data you have, the more risk your organisation faces. It is a legal requirement for organisations to keep secure the data that it holds, this means that you could be fined if some or all of that data is compromised. Thirdly, excessive data can become expensive. Digitisation now means that most of the data a business holds is no longer in filing cabinets but on hard drives or in the cloud. The more data you have the more storage space you need to acquire, racking up unnecessary costs. Lastly, it’s time consuming. The more data you hold the more time you’ll spend dealing with queries from individuals seeking to exercise their rights.
The key to only keeping the data that is needed is a retention policy that contains a clear set of rules on retention periods and erasure.
How long should you keep data?
Well, that is mainly up to what your organisation deems necessary. The GDPR does not specify how long you should keep personal data, it’s up to you to be able to justify the retention period based on your purposes for processing. You should ask yourself ‘do we need this data?’ which is a lot different to ‘could this data be useful one day?’. The aim is a balance between not keeping the data too long to comply with the storage limitation principle whilst ensuring you don’t dispose of any data that is subject to minimum retention periods set by law.
Once you decide on retention periods it would be wise to go through your current data and ensure that it all complies with your newly published policy.
What to do with data that is too old?
So now we’ve determined that it’s not good to data hoard and about time for a spring clean – what should we do with the data that is deemed too old?
Simply, there are two choices; delete it or anonymise it.
Deleting data doesn’t just mean taking it offline, it means putting the data beyond use. So, in short, you need to delete it from both live and backup systems so that it can no longer be used. Although this seems like an easy thing to do. For a data hoarder, saying goodbye can prove too tough, but don’t worry! Although many data protection specialists will advise to delete unneeded data, you can anonymise the data under the terms of the GDPR. Meaning you can both comply with the GDPR and keep the anonymised information, win-win!
Anonymisation is when personal data is turned into anonymous information so that it falls outside of the scope of the GDPR. You should anonymise data to the level that the risk of the re-identification of an individual is low. A nice middle ground for those people finding it too hard to let go.
In summary…
It’s time to kick that data hoarding habit and get a retention policy in place to comply with the storage limitation principle of the GDPR. Once data gets past the retention period specified you have two options, delete the data or anonymise it. In the first instance you should look to delete unneeded data. Deleting the data means ensuring it is no longer usable. If you can’t bear to say goodbye to the data, anonymising it is also an option. Anonymising data means ensuring there is a low risk of re-identification. Either deleting or anonymising data is perfectly legal.
As long as your organisation has a clear and concise Retention Policy whereby the retention periods can be justified by the organisations processing needs then you’re all set.
Data hoarder no more…
Written by Isabella Gibson
Isabella Gibson is a member of the norm. data protection team. She joins the team with a BSc in Biology from the University of Bristol and puts her well developed research and data analysis skills in to good use in her role.