Retention period: A minimum or a maximum?

November 03, 2017
Written by Paul Hammersley

As Senior Vice-President of the ALM Products at EPI-USE Labs, Paul Hammersley's portfolio includes test data management, landscape optimisation, and archiving. He has been a remarkable technical force in the SAP arena for over 20 years, and has extensive hands-on experience of implementing Data Sync Manager (DSM) and helping clients to manage data across the breadth of their SAP landscapes.

 

GDPR retention period
GDPR: are retention periods being considered a minimum or a maximum?

I’ve recently been in several meetings where a Data Protection Officer (DPO) or internal legal advisor has been discussing GDPR with IT team members. Interesting to see people with very different backgrounds and responsibilities discussing the various challenges of GDPR they are facing jointly. Several of the DPOs were keen to stress that a lot of the elements affected by GDPR are already in force as a result of existing country legislation created to comply with  the 1995 Data Protection Directive. For them, GDPR was in many ways welcome, because it’s ensuring that organisations take their obligations very seriously - even if those obligations are already there now, but have perhaps been overlooked.

There were many interesting discussions and viewpoints, but I also noticed in many cases a disconnect in the how the two different worlds communicate on the same topic.

Let me give you one example that I think explains this. If an organisation has a detailed ‘Data Retention policy’ which states that data type x is kept for five years, does that just mean that the data is kept for at least five years, or also that the data is actively destroyed when it is five years old? Several DPOs/Auditors spoke of an existing retention policy with the clear assumption that the latter is the case. No-one from the IT teams wanted to challenge that, and explain that although the retention policy was there, it wasn’t driving any active removal of older data. The IT teams' understanding was that data had to be retained for at least this time period, but not that it had to be destroyed when it passed that age.

With GDPR, these conflicting views on what a retention policy means will be exposed, and will need to be resolved - the sooner the better. While document management systems normally have a built-in retention period that focuses on removing old data, the majority of IT systems do not, and so organisations will be looking for technology solutions that they’ve never previously thought they needed.

Don't know where to start with GDPR and SAP? We do!

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling General Data Protection Regulation Data Redact POPI Act POPIA SAP Data Security SAP GDPR Data Archiving Data Sync Manager SAP data privacy and compliance Right to be forgotten Data privacy compliance Data privacy regulations GDPR readiness GDPR deadline Personal data SAP SAP security GRC for SAP SAP systems Access Risk management Access risk controls Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) SAP data privacy and security compliance COVID-19 Data Privacy suite Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Cenoti Client Sync Data Protection Day Data masking European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti, connecting SAP with Splunk Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data processor versus controller Data retention rules Documentation EPI-USE Labs’ solutions Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act Online shopping Penalties Phantom Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data encryption SIEM SOX Sarbanes-Oxley (SOX) legislation Security Security Information and Event Management Security for SAP. Live Sensitive HCM data South African data privacy legislation Splunk Splunk UBA Splunk’s Enterprise Security Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: