Erasure of Data
Data erasure mechanisms – how to keep an eye on a timely erasure
When establishing a record of processing activities, it shall be documented which personal data are processed by using which automated procedure and which concrete measures are taken in order to protect the data. This includes defining the periods during which the personal data are stored and after which they have to be erased. Such periods will not only be a crucial point of interest for the supervisory authority, but they also serve self-monitoring purposes.
How do you realise the erasure of data in practical terms and which periods apply? The GDPR does not define specific periods after which the data must be erased. As a result, many companies simply state that they will erase data once they are no longer needed and neglect to state specific periods during which data are saved. Such an approach not only makes an external audit more difficult, but it could give rise to the suspicion that the erasure of personal data has not been given due consideration. A good data management solution includes an archive function, deadline reminders and delete functions on the data level. Your company should make sure that storage periods are assigned to data categories and that these are regularly reviewed by the competent department, which also deletes those data categories for which the storage period has expired. Therefore, it can be a good idea for the contact persons of the various departments to use respective functions in their electronic calendars that issue a reminder whenever such a review is due.
Attention! With “the right to be forgotten” the GDPR grants data subjects who have consented to their data being processed the right to have their data erased the moment he or she withdraws the consent. In such a case, a company not only has to stop sending the data subject e.g. promotional emails, but it is also obliged to inform third parties (to whom the data has been transferred) of the data subject’s order to delete the data. Such data must then be erased.
“Mapping” of the technical and organisational measures
One of the important points to finalize the record of processing activities are the technical and organisational measures.To determine which specific safety measures are adequate, the interests of both the company and the data subjects concerned should be considered along with the purpose of the data processing operation, the data categories and other factors. Pseudonymisation, encryption, the implementation of entry controls, physical or electronic access controls, transmission control, order controls or a purpose limitation are adequate measures to legitimately process data according to the GDPR. Further measures could be a rights- and role-based access employee model or external audits.