You’ve probably already heard of the GDPR or General Data Protection Regulation, a European regulation that governs how personal data should be lawfully processed, collected, used, protected or interacted with in general. You should also know there are some requirements when it comes to GDPR data storage.
👀 We know it can get quite complicated! That’s why we’ve complied a quick guide for you with everything you need to be aware of. Let’s dive in!
How should GDPR data be stored?
There are a few specific requirements you must follow when you want to store data and be compliant with the GDPR.
First, data storage needs to be in line with the main principles of GDPR, including:
💡 Learn more about data security here.
Here are some additional and important guidelines by the European Data Protection Board:
📌 Personal data collected should not be stored if it is not necessary for the purpose of the processing;
📌 Limit the retention period to what is necessary for the purpose;
📌 Delete or anonymize data by default when no longer necessary:
👉 the length of the period of retention depends on the purpose of the processing in question;
👉 the controller should have systematic procedures for data deletion or anonymization embedded in the processing.
You should limit the retention period (set duration for which the data is being stored/used) to what is necessary for the purpose, meaning the “why” of the processing. This means the length of the storage depends on how long you’ll need the data.
After having mapped and categorized all the data collected, the data retention policy is an internal assessment that defines for each processing activity what data is stored, for how long, where, and what happens when it’s no longer needed.
It is important to regularly review this policy, as well as update data retention periods.
💡 Find out the best practices for setting up a data retention policy here.
🔍 Check out our guide on how to store this type of data
The controller, processor or person in charge of data privacy in your company should evaluate the risks inherent in the processing. For this, publishing a Data Protection Impact Assessment (or DPIA) is recommended.
A Data Protection Impact Assessment is a process that can help you analyze and minimize the risks connected to the processing of personal data.
💡 Take a look at our DPIA template in this guide!
Under the GDPR, a main obligation that applies to you as a business is the implementation of appropriate measures and necessary safeguards for respecting data protection principles, and data subjects’ rights.
These measures usually include: