The impact of the GDPR on US companies will be significant. One of the most difficult issues to overcome will be handling data retention. Creating a data retention policy is easy, implementing it will be significantly more difficult. Article 5 sets forth the principle that personal data may be maintained for no longer than is necessary for the purposes for which personal data is collected. While prolonged storage is permitted if the data is anonymized, no longer allowing identification of the data subject, failure to delete and/or anonymize data could trigger significant administrative fines for noncompliance.
Personal information is collected through external processes for example, lead generation, consumer profiling, media pitching and database management; and internal processes, for example, recruitment, hiring, and vendor relationships. The GDPR requires companies maintain higher standards of transparency, security and accountability when it comes to the way they collect, use, and store data. Preparation of a case study for each class of data collected (customers, employees, etc.) and compilation of support for maintenance of the data for a set period of time after which it will be deleted is essential. Fines are steep.
Understanding what data may be maintained and what data must be deleted and when is one of the biggest hurdles to ensuring compliance. Many companies have maintained a central database and allowed data to be stored on employee laptops. This practice must now be replaced with strict policies creating a central repository with easily identifiable categories of data with varying deletion deadlines.
Let us help you with this hurdle to GDPR compliance.