What Does the GDPR Say About Data Retention?

What is the GDPR?

Data protection laws have proliferated in recent years. From the Personal Information Protection and Electronic Documents Act in Canada to the California Consumer Privacy Act in the United States, legislation governing private data has sprung up across the world.

The GDPR, or General Data Protection Regulation, is one such law. A European Union regulation governing data protection and privacy in the EU and the European Economic Area (EEA), the GDPR was passed in April 2016 and became enforceable beginning in May 2018. It applies to organizations both within and outside of the European Union whose data processing activities are carried out in the context of business they do in the EU or EAA. Some examples of organizations that must abide by the GDPR include:

a Chinese e-commerce company with a Berlin branch
a French company who collects data on car-sharing customers in Morocco, Algeria, and Tunisia — but who, by nature of being based in France, is considered to process customer data within the EU
a pharmaceutical company based in Stockholm but performing data processing in its Singapore branch

That said, the absence of a physical office in the EU does not automatically mean that a company will not be subject to these regulations. The GDPR also applies to the personal data of all people who are located in the Union and who are being offered goods or services or being monitored by a data processor. The wording of this provision is intentionally broad to include all people in the EU, regardless of their citizenship or legal status.

What does the GDPR require?

One of the strongest and most wide-reaching laws of its kind, the GDPR works to regulate the collection and use of personal data by governments and businesses. To comply with the GDPR, organizations must meet robust consent requirements, provide mandatory data breach notifications, and observe users’ rights to access and control their own data, including the “right to be forgotten.”

The aim of the GDPR is to increase privacy for people who live in European Union member states. It includes a number of protections to give people more control over their personal data, including how and by whom their information is used. It also requires companies to:

Receive informed consent before collecting or using someone’s data.
Explain how someone’s personal data is processed, used, shared, and stored.
Offer special protections for certain categories of sensitive data, including data about someone’s race, religion, political opinions, trade union membership, and health.
Provide protection for cookies and IP addresses.
Allow someone to move or transfer their own personal data to another provider.
Delete or correct someone’s personal data when requested.
And more.

Additionally, the GDPR encourages companies to build privacy protections into their systems — also known as privacy by design. In other words, companies who process data from people in the EU must make sure they’ve implemented security measures to protect that data.

Who is bound by the GDPR?

The GDPR is an EU regulation, but it is extraterritorial in scope. That means that the GDPR impacts the data practices of any organization that offers goods or services to or monitors people in the EU — regardless of the organization’s own location. This includes US cloud providers, global data brokers, and any other third party that processes, collects, stores, uses, or shares the personal data of people in the EU.

The consequences of not adhering to the GDPR can be costly. As the Center for Strategic and International Studies notes, organizations in breach of the regulations can be fined up to 4% of their annual turnover or up to €20M, whichever is largest. As of September 2021, more than 800 fines have been issued, including a €50M fine for Google, an €18.4M fine for Marriott International Hotels, and a staggering €746M fine for Amazon.

In light of these serious fines and penalties, companies bound by the GDPR would do well to implement strong security measures and make sure they remain compliant.

What are the GDPR’s data retention policies?

In short, it depends. The GDPR doesn’t set a specific limit in weeks, months, or years as to how long an organization may retain someone’s personal data. However, it does require that identifiable personal data be stored for only as long as necessary to achieve the stated purpose for which it was collected. This is to help ensure that data retention — and thus data privacy risk — is kept at a minimum.

As a 2020 article by the National Law Review notes, “The longer a business retains personal data, the more opportunity exists for unauthorized and perhaps unlawful access, use, or disclosure of that data.” By minimizing the amount of time that someone’s identifiable personal data can be kept, the GDPR is minimizing the chance that that data can be exposed to unauthorized access, theft, extortion, and other forms of compromise.

Given the seriousness of individual data privacy under the GDPR, it should be no surprise that there are major financial consequences for organizations that don’t uphold these requirements. For instance, the Berlin Commissioner alone levied €14.5 million in fines for improper data storage and retention from 2018 to 2020.

A September 2016 paper featured by the International Association of Privacy Professionals notes that the “depersonalization” of data may also play a role in data retention considerations. “Effectively,” they write, “in order to comply with the ‘storage limitation’ principle businesses must affirmatively delete or return personal data — or retain data such that it is not ‘personal’ — if retaining such data is not essential for the purposes for which the data was collected.”

In other words, anonymizing or desensitizing personal information may strengthen organizations’ data retention practices. It will also help protect sensitive data and maintain data privacy — one of the foundations of the GDPR.

ShardSecure® desensitizes data to support GDPR compliance

ShardSecure’s patented Microshard technology™ desensitizes sensitive data at rest for better confidentiality and security through its three-step microsharding process. This process ensures that data is unintelligible and of no value to unauthorized users — including cloud providers outside the European Union.

Microshard technology was created for the express purpose of preventing unauthorized entities from reconstructing or identifying the original data, and multiple data integrity checks help ensure that data is not modified or tampered with.

To support GDPR compliance, Microshard containers may be distributed across different regions of a single cloud provider, across multiple cloud providers, or across a hybrid mix of on-premises storage and one or more cloud providers. The number and geographic locale of the storage locations are both user-configurable, meaning that the data owner remains in ultimate control of who has access and what jurisdictions are used. (That said, you should always speak with a GDPR expert for the latest information as it pertains to your industry and organization.)

Microshard technology also fits the GDPR’s description of split or multi-party processing in Use Case 5 of Schrems II, constituting an acceptable supplementary measure to safeguard transfers of EU personal data. Check out our detailed whitepaper on the subject to learn more.

For more information on how ShardSecure can improve your data security, data resilience, and business continuity, contact us today.