The General Data Protection Regulation (GDPR) has its feet firmly under the table in the European Union, and most of the headlines focus on data breaches of Personal Identifiable Information (PII). Although data security is an important part of data protection, Article 5(1) of the GDPR sets out seven key principles covering how personal data should be managed. One of these principles explicitly stipulate that PII “data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.” In other words, don’t forget about data retention.
Interestingly, in late 2019, we saw the first case where a Germany real estate company was fined 14.5 million EUR for failing to have adequate data retention controls in place. The data was not breached and or shared with any non-compliant third parties, but failing to have internal data retention controls is, in itself, a breach of privacy rules.
A common trap that companies fall into is ‘data hoarding’ - physical storage or electronic (e.g. vendor) systems which host data that are just forgotten about and not deleted in a timely and safe way. There may be many reasons for this; it could be because the person responsible for the system leaves, a new system is taken on, or the visibility of these forgotten-about data hoards is just simply lost.
This reminds me of one of the many ways you could use Qlik as part of your data protection strategy to ensure your organisation’s own compliance.
Gone But Not Forgotten - Are You Keeping Your Data Too Long?
It is critically important to have clearly define data retention polices if holding personal data is necessary for your organisation. Clear visibility of the personal data that you are holding is required to enforce these polices. Do you know what type of data you are storing? Do you know how you obtained it? And, most critically, when you obtained it?
GDPR is quite vague on just how long is necessary. Nonetheless, the best practice is to be able to report on how long you have held the data, combined with other data, such as when was your last interaction with the individual about whom you have the data. If you can do this, then you can decide whether you are unnecessarily hoarding that personal data and take action.
For example, have they been on your mailing list for several years but never became a customer? Have they been inactive for some time and now their personal data is buried deep within your database archives gathering digital dust? Check out our Qlik Sense GDPR demo app for examples of how you could enforce your data retention polices.
Does Data Exist When You Can’t See It: Managing Sensitive Data With Data Catalogues
In addition to having a good data analytics platform, another way to better manage your data and avoid stockpiling unused data is by using a modern data management solution that can help you build enterprise-wide governed data catalogues.
GDPR Article 5(1) is about managing personal data with “integrity and confidentiality.” There are cases when you need to hold personal data and your employees need to work with it; however, not everyone needs to see the content in order to work with the data. Being able to anonymise the data in the correct way is very important to staying compliant; data masking is one way.
When it comes to preparing data, your data stewards need to make sure data polices and security standards are enforced, and sensitive data is properly handled. The good news is that Qlik can help your data delivery teams transform your traditional data supply chains to more dynamic, self-service data marketplaces in a secure and governed manner.
With Qlik Data Catalyst you can:
- Improve your consumers’ ability to find the right dataset
- Systematically enforce and monitor your data policies and usage
- Ensure sensitive or personal data is automatically masked
In Summation: Keep on Top of Regulations
There are many more complexities about GDPR and many more data protection regulations around the world, either already enforced or becoming enforced in the future. Therefore, it’s important to keep on top of the regulations relevant to your business by seeking legal counsel on best practices, ensuring everyone in your organisation is aware of the polices in place and is using technology in responsible ways to remain compliant and avoid the risk of large fines and loss of reputation.