Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.
How long can you keep data? In the seventh article in our series on GDPR and POPIA we look at the rules and exceptions for archiving data on systems. Read on:
You haven’t heard back from them in three weeks. It is right about this time the sinking realization occurs that they might just not be that into you. You scroll through your messages and smile at the good times you had. Who knows, maybe they are just busy. For now, you will hold on to their details and archive their messages for future reference.
When a data subject no longer has a purpose on your systems, they would normally need to be removed. However, there is some leeway in both GDPR and POPIA for keeping data beyond its useful lifetime for statistical or archival purposes.
In this article, we will review under which circumstances data may be retained. We will also look at how retention should be balanced against the rights of the data subject.
Data may only be retained as long as there is a legal basis for doing so, and/or consent applies. Both GDPR and POPIA allow for data retention for the purpose of archiving, but these allowances are balanced with the rights of the data subject to have their data redacted or removed.
Data retention is bound to two main factors, namely that of the legitimacy of the purpose for processing, and that of consent.
We already know that we need a legal basis for processing, and that consent can be withdrawn, but both GDPR and POPIA provides a specific exception for data retention beyond the expiration of purpose.
GDPR, Article 89, Paragraph 1 states: “Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject.”
In Section 14, Paragraph 2 POPIA states: “Records of personal information may be retained for periods in excess of those contemplated in (1) for historical, statistical or research purposes if the responsible party if the responsible party has established appropriate safeguards against the records being used for any other purposes. ”
In both cases, archiving takes the data out of circulation. Archived data can no longer be processed for any other purpose, and must be kept secure.
Archiving is only allowed if it aligns with the stated purposes, and for many of these purposes, the personal data can be anonymized. This creates a problem when it comes to the question of backups and snapshots which will be discussed in our next article.
When it comes to the archiving process, there should be due attention given to both organizational and system safeguards. These safeguards need to address data security as well as prohibiting the use of archived data for other purposes.
If data is retained for statistical purposes only, anonymization is the best route to take.
After being duly chastised for letting the weird neighbour store your date’s information, you now make sure that it is all stored safely in the cloud. To get the data back you need biometric access, a pin, and 2-factor authentication. Now to make sure that you don’t forget that pin…
The rule of thumb is this: You can keep data after its purpose expired if you archive it safely. If the data is used purely for statistical purposes, consider anonymization as part of your strategy.
Are you POPIA compliant? We recently hosted a webinar that tells you more about:
Click here to view it for free.
Deleting data from SAP systems is non-trivial. With data spread over many different tables and systems, deleting any data can lead to an inconsistent system. Client information, for example, can be stored in ERP, CRM and BW systems. If you decide to archive data as a means of complying with GDPR and POPIA, you have to keep in mind that archiving is still a form of data storage and doesn’t necessarily comply with “right to be forgotten" clauses.
The onus is still on you to prove why you need to retain this data, even when the data subject requested data to be removed, or the lawful basis is no longer valid. In some cases this is clear cut. For financial and payroll information, laws require that you retain data for a minimum period. In most cases the data retention requirement is a complex problem. You might need to keep some data for a longer period, like safety information, while other data like detailed pay information needs to be retained for shorter periods. This means that some data relating to a data subject might need to be retained longer than others, so you have to be able to selectively delete data.
Agreeing on these detailed data retention policies is one of the areas that companies struggle with the most during privacy compliance projects. Once the business rules have been captured in a policy, archiving or a product like EPI-USE Labs' Data Retain can be used to help automate the selective redaction of personal data to ensure continued compliance.