GDPR data mapping: documenting basis and retention
GDPR data mapping is a multifaceted task that can aid data protection staff in their work on a day-to-day basis. One important aspect of having a complete inventory is mapping all the personal data you hold, and documenting the legal basis as to why you handle people’s personal data. Added to that, you need to have policies in place which define the length of time you hold the data: the retention period. Let’s take a closer look at how to document the legal basis for processing and the retention periods for your GDPR data map.
Consent and retention
Different categories of personal data are obtained for different purposes. Defining the categories and where personal data is stored is the best way to start mapping data in your organization to comply with privacy regulations such as the GDPR. Once you have categorized the data and specified why it is held, you can then move on to documenting the legal basis and retention period for each category.
GDPR legal bases for processing personal data
There are six different legal bases for storing and processing personal data:
- Legal obligation
- Vital interest
- Public task
- Legitimate interest
Let’s take a closer look at each of the legal bases.
Consent is when the person, or data subject, has given expressed written permission for your organization to collect and use their personal information. This consent can be revoked. The consent should be explicit and opt in, meaning a customer of a business should actively agree to their personal data being processed. For example, this means they should tick a box to offer consent. Predefined consent for consumers to opt out, such as pre-ticked boxes that should be unticked to revoke consent, do not comply with data protection laws such as the GDPR.
If the person enters into a contract with you and, in order to fulfil the contract, you need to process their data: this serves as another legal basis for collecting personal data. For example, in order to sell something to a customer online, you will need their billing details, name, and address.
It is worth mentioning here that if you collect personal data (such as date of birth) that is not related to the performance of the contract (the sale of the item online in the example above), then you should receive consent based on another legal basis.
Some personal data must be collected and stored in order to satisfy legal requirements or, simply put, to comply with the law. A universal example of this basis for the processing of personal data are employment contracts in which the employer is obliged by law to disclose to the taxman the salary paid to the employee.
The laws are pretty clear about data which must be processed. To fulfil this requirement, you need to be able to reference the obligation, indicating the specific law or court order which relates to the basis.
Processing personal data on the grounds of protecting the subject’s “vital interest” applies to protecting someone’s life. The use of vital interest as a basis for handling personal data is most often used for health data and relevant when a person needs emergency medical care and is unable to consent.
It is important to stress that in the case of vital interest: the subject is physically unable to consent. Should the person be able to provide explicit consent, other grounds should be stated as the basis for processing.
Processing personal data on the grounds of performing a public task is mostly reserved for public authorities, such as local councils or government authorities. However, other organizations that have been granted the power to act in the public interest to complete a specific task can also use this basis for processing the data.
The task should be in the public interest or in order to perform a task related to an official authority. Furthermore, this interest or task should be set out in law. An example of this could be education as part of a university and the awarding of degrees.
Where personal data is processed on the grounds of a person’s legitimate interest, the organization handling the data takes on additional responsibility to consider and protect rights and interests of people. The basis includes the interests of business, individuals, or society.
This basis is very broad. It can even be used as a reason for B2B marketing activities when dealing with corporate subscribers if the businesses to which the activities are addressed would benefit from the product or service.
Special category data: bases for processing
The GDPR also specifies higher protection for data which the legislation terms as “special category”. Special category data calls for additional protection because it is seen as more sensitive. Special category data is stipulated as data about:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- DNA (genes)
- Biometrics data (to identify a person)
- A person’s sex life
- A person’s sexual orientation
For these types of data, the additional safeguards mean additional legal bases for processing the data. The legal bases for processing special category data are:
- Legal obligation
- Vital interests
- Public interest
- Legitimate activity
- Publicized by the subject
- Judicial purpose
- Medical diagnosis
- Public health
- Archiving purposes
As you can see, some of the legal bases for processing special category data are similar to the general ones above, while there are also some additional bases. Let’s quickly run through the bases which are not mentioned above.
Processing special category data based on carrying out a legitimate activity usually concerns membership of organizations that relate to the special categories (for example, a political organization). Processing on this basis may take place to carry out the functions of the organization.
Publicized by the subject
Where a person makes special category data about themselves publicly available, this is a legitimate basis for processing. For example, if a person shares their health status on a public internet forum, this is a basis for any organization to process this data.
Where the special category data is needed in judicial proceedings, it can be processed.
If special category data has to be processed in order to give a medical diagnosis, the law permits this data to be processed.
Pandemics show that there is a need for special category data to be processed on the grounds of public health and the law accounts for such situations.
Should the special category data be needed to comply with legal obligations or public interest requirements related to official archives, it can also be processed.
Now that we have an understanding of the legal grounds as to why we are able to process personal data, let’s take a look at retention periods.
Personal data retention period
Retention period refers to the amount of time that you are able to hold the personal data before erasing or anonymizing it. It is important to note that anonymized data is not considered as personal data and it can still be of use to your organization.
In general, the law specifies that you must not keep data for any longer than necessary. This means you need to be able to justify why you hold personal data (see the legal bases above).
It is best practice to set your own policy for retention periods and to review the data that you hold on a constant basis. Moreover, you should look to limit the personal data you hold in order to minimize the risk that the data will be exposed should you suffer a security breach.
Keeping a retention schedule together with the legal basis for processing sets a clear policy of how long you should hold different categories of personal data.
An important point to note is that data protection laws do not specify the retention periods. Instead, it is up to you to justify how long you hold the data for, based on the purpose it was collected.
There may be industry guidelines in place which dictate how long you should hold the personal data, or this may be based on common sense. Other legal requirements come into play here too, such as information needed for audit purposes or tax requirements, which are subject to set retention periods. Furthermore, there may be separate data retention regulations when it comes to financial or employment data that you must adhere to.
If there are no regulations or guidelines, it is up to you to decide the proportionality of the length of time you store the data, balanced against the reasons for why you are holding it. You need to be able to justify why. For example, keeping tracking data collected from a customer via an internet store can be justified for marketing purposes in the short term. However, if this customer were to unsubscribe from the store, keeping this data for an extended period (for example, several years) may not be justifiable.
In short and for the most part, it is up to your organization to have strict guidelines of what you do with the personal data when the retention period comes to an end. It is best to take a look at industry leaders and follow best practices as the retention periods can vary wildly for different reasons and are based on judgement of proportionality.
By documenting the different legal bases for why your organization holds personal data and specifying the periods that the data will be retained, you are showing that you take data privacy seriously. Having set policies that are outlined in your data map will set you well on your way to compliance with laws such as the GDPR.
Just starting out on your data mapping journey? Read our previous articles: