- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
The GDPR is 2 today – too much, too little or too late?
May 25, 2020
UK ‘formally confirms’ to EU that it won’t extend transition period
June 16, 2020
Forget COVID-19 and Brexit, a recent DPO Centre poll of data protection professionals has revealed that from a list of 11 issues, their key challenges for the next 12 months are accountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. and data retentionData retention refers to the period for which records are kept and when they should be destroyed. Under the General Data Protection Regulation (GDPR), data retention is a key element of the storage limitation principle, which states that personal data must not be kept for longer than necessary for the purposes for which the personal data are processed..
This insight was gained from over 500 responses provided by senior individuals across 5 key industry sectors during the DPO Centre’s “GDPR at 2 – Its Past, Present and (far from simple) future” webinar hosted by Data Protection World Forum and delivered in partnership with global top 30 law firm, Squire Patton Boggs.
Overall, the two key standout challenges identified were, as expected, demonstrating accountability, however more unexpectedly, data retentionIn data protection terms, a defined period of time for which information assets are to be kept. was identified as an equally concerning challenge.
Broken down by industry sector, financial services and education were the two sectors that considered these two issues of highest concern, however the same trend was seen across several sectors, indicating that it is a much wider issue and not one that is specific to a certain sector.
It’s also interesting that financial services and medical sector respondents did not rate breach management and reporting as a significant concern, when those are the sectors that are dealing with the higher volumes of sensitive and special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal....
So why is retention of such concern?
The move to remote working
The ‘new normal’ has demonstrated that employees do not need to be chained to their office desk and working from home has in some cases seen increased productivity and wellbeing. Google, Mastercard and many others have indicated that they see their employees working from home for the foreseeable future, and Twitter indefinitely. Business leaders could be looking at downscaling from their large city centre offices and driving down costs by promoting ongoing remote or home working. One subsequent question arising from this is “what will happen with all those boxes stored in the basement?”. Archiving and digital transformation projects drive the importance of a sound data retention regime as the business look to incur only the costs of digitising, scanning or storing whatever data is absolutely necessary.
Savvier Data Subjects
Through increased awareness and public understanding of data protection, Data ControllersEntities (such as an organisation) which determine the purposes and means of the processing of personal data. are receiving ever-increasing numbers of requests from data subjects seeking to enforce their rights under the law.
Poor data retention schemes mean that Data Controllers are further exposed and could result in unnecessary costs when complying with DSAR requests where data is retained for longer than is necessary, rather than managing data retention proactively in the first instance.
Conclusions
Whilst the webinar poll result does not provide specific reasons for the concerns it identifies, a number of differing factors will have contributed to this view being formed. The unique situation we are presently in has enabled DPOs to re-visit their action plans and objectives for the current year. Perhaps DPOs are feeling that now is the time to do the jobs, such as data deletion, cleansing and organising etc, they have previously been putting off and have therefore considered the current period we are in to be an opportunity to good to miss!
If you would like to watch the webinar recording, please click here.
If you would like to read more about data retention you can find our latest blog here