At Nymity, we often get questions regarding the retention of personal data under various laws. Article 5(1)e of the GDPR stipulates that data must be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” Barring some exceptions, this means the data at some point will need to be deleted or de-identified.
The new Brazilian law, the LGPD (after its Portuguese abbreviation), also contains a provision stating that personal data should be deleted once the processing is completed. In order to deal with deletion requirements, whether under the GDPR, the LGPD, or another law, a data retention policy needs to be established. In this blog, we will give you some pointers on what such a policy could contain.
Identifiability of data
It is important to realize that the obligation to retain data for no longer than is necessary, as the GDPR puts it, only applies to personal data that are still identifiable. This means that if an organization is indeed able to take away all identifiable markings from a dataset, the remaining data could be kept indefinitely. It is the same in Brazil. Anonymized data that are not shared with anyone can be processed without any legal obstacles. However, full anonymization is not an easy feat.
In 2014, the European Data Protection Working Party adopted an opinion on the use of anonymization techniques that describes how data can be anonymized in such a way that it cannot be reversed. Although the technology has progressed, and an update of the opinion might be useful, the criteria given to assess if a dataset has been truly anonymized is still relevant:
- Is it still possible to single out an individual;
- Is it still possible to link records relating to an individual; and
- Can information be inferred concerning an individual?
Only if the answer to all three questions is NO, has full anonymization been achieved.
Organizations should bear in mind that even datasets that have been depersonalized with the greatest care could still be regarded as personal data, if combining them with other datasets allows individuals to be singled out. The research project, Unique in the Crowd, from MIT and the University of Louvain, showed that four data points were sufficient to single out over 95% of individuals. This project, which involved 1.5 million individuals and lasted over a year, showed that full anonymization is not impossible, but it is difficult. Relying only upon de-identification might, therefore, not be enough to demonstrate compliance with the data retention requirements. At some point, full deletion of data might be required.
It is hard to predict that point when full deletion is in order. It is, first of all, dependent on the purpose of the processing (What is the organization trying to achieve?), as well as on the specificities of the data (What types of data are being processed, in what volume, and how sensitive are they, etc.?). A good understanding of the data being processed is required to help make decisions on how long data can be retained.
In most cases, it will not be possible to stipulate in a data retention policy an exact timeframe when data will be deleted. For example, when processing data as part of a contract, it is self-evident that data will be processed during the duration of the contract. In such a situation, a retention policy might state that the data are retained “for the duration of the contract and X months thereafter,” where X is dependent on the nature and volume of the data. Similarly, for data processed on the basis of consent, the policy could state, “data are retained until the moment consent is withdrawn.” In other situations, it will be easier to mention a specific timeframe in a policy, such as in the case of a legal obligation. In many countries, some personal data will need to be retained for tax purposes for a finite number of years. The number of years could be included in the retention policy, including the reference to the relevant legislation (which is not an explicit legal requirement, but is helpful for the individual from a transparency perspective).
Many data protection laws contain exceptions to the obligation to delete personal data when the purpose of the processing is realized. Often, these exceptions exist in relation to the processing of data for statistical purposes, or in order to be archived or made available for scientific or historical research. These are rather broad exceptions that can be used at will by the organization processing personal data. However, the accountability principle does apply here, and organizations will need to be able to explain why they rely upon the exception.
Multiple retention times
Setting retention times is not as straightforward as the laws may make it seem. It could very well be that the same dataset has multiple retention periods attached to it, depending on the purposes for which data are processed. For example: if a person makes an online purchase in the European Union and provides their details to the company, the company will first of all process the data to complete the sale (purpose 1 – performance of a sales contract) and subsequently send some marketing messages to the individual (purpose 2 – direct marketing based on legitimate interest). Finally, personal data of the individual will need to be passed on to the tax authorities in relation to the payment of sales tax (purpose 3 – legal obligation).
All in all, one simple transaction can have many retention purposes, with many different legal bases, all of which can cause many different retention periods. This doesn’t mean that the longest period will apply to all processing, however. Instead, as purposes are fulfilled, data can no longer be processed for that purpose and thus can no longer be accessed by the employees of the organization responsible for that specific purpose.
Data retention policies can help organizations remain compliant with relevant retention laws. If you need assistance with your data retention policies, Nymity has software solutions that can help.
Nymity Templates™ has over 800 practical and downloadable documents to help you build or enhance your privacy program. Nymity LawTables™ delivers on-demand legal research based on over 550 privacy laws and regulations to support worldwide compliance.