Unscramble outset7/17/2023 However, the GDPR text states that you can hang on to data "for longer periods" for a number of defined reasons, including "statistical purposes", if certain measures are taken to safeguard the rights of your data subjects. Now, a word about a couple of words which are on everyone's lips: anonymisation, and its close cousin pseudonymisation.Īs we now know, data which identifies a natural person can only be kept for as long as is necessary. The organisation would need to keep minimal information on the suppression file indefinitely for suppression purposes. However if I then subsequently tell that organisation that I no longer want to receive direct marketing, then the organisation should add my details to their in house suppression file. For example, if I have bought some goods and services from an organisation in the past, the organisation may decide it will only keep that personal information for seven years after the date or purchase in line with the maximum period under which I can make a contractual claim. You may need to have different data retention periods depending on the purpose for which you are keeping the personal information. As you collect data for specific purposes, you are best placed to make the call on how long you need to keep that data (in a form that identifies a data subject) to serve those purposes and those purposes alone. ".for the purposes for which the personal data are processed" - Returning to that wonderful concept of scope for a minute, data is collected and processed for specific purposes, whether that is to fulfil an order, keep someone up to date with news and goings-on with your organisation, or to maintain the smooth running of a service. It's down to you to determine what kinds of data you hold (customers or prospects, active or lapsed) and how long it's necessary to hold on to each bit for. That would be silly, as all organisations are different and there can be no 'one size fits all' approach. What is truly necessary, and what does this mean in real terms? The good news is that the GDPR text is not prescriptive as to define how long 'necessary' really is. ".for no longer than is necessary." - Now we come to the belly of the beast. If you can identify a natural person from your data and/or any other information which is likely to come into your possession (much like a customer record in any standard CRM system) then you should be mindful about how long it is retained. The GDPR text later mentions retaining data in other forms and data that does not identify a data subject, but we'll get in to that later on. That is, individual human beings ('natural persons' in data protection speak). "Personal data shall be.kept in a form which permits identification of data subjects." - The scope that is defined here states that we should be concerned primarily about data which can identify data subjects. There's more to the article above than meets the eye, so let's pull this apart. What does "no longer than is necessary" really mean? What about when we no longer need that data? Do we then need to get rid of data (meaning jettisoning it from our systems) after the period of necessity has elapsed? "Personal data shall be.kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed" - GDPR text, Article 5 (1)(e) The GDPR mentions right from the outset that organisations have a responsibility to retain data for "no longer than is necessary" for the purposes it was collected. For some, hanging on to things can prove troublesome at the best of times. Whether that's information retention or employee retention. Many people experience problems with retention.
0 Comments
Leave a Reply. |