The problem for most organizations is not the lack of data; Rather, too much unsorted data that really should have been deleted a long time ago. But as more and more organizations move to cloud-based data storage, there’s no longer a lack of capacity – and then there are many who do not prioritize their erasure routines.
The guidelines of the responsible authorities are clear: Personal data may be stored for as long as needed for the purpose of the processing of personal data to be fulfilled. When the personal data is no longer needed for the purpose, it must be deleted or de-identified (obscured). This is a typical example of organizational tasks, related to risk, not being prioritized. Therefore, it’s a good idea to introduce routines for deletion of personal data.
Personal data that must be saved
Routines for the deletion of personal data don’t mean that everything should be deleted right away. In some cases, documents containing personal data need to be kept longer. This applies, for example, to accounting, where the Accounting Act imposes other requirements on how long certain documents are to be stored. But here too routines are needed. A good tip may be to store the documents in such a way that they are no longer available in day-to-day operations, that is, segregate the personal data by separating the documents.
We have now launched the 2024 version of Privacy and GDPR for all employees. A brand new course with updated content over fewer lessons, but with more interactive touch points giving your organisation's DPO a better understanding of the level of your organisations' awareness.
To increase engagement and awareness, this new course also focuses on why GDPR and privacy is important both at work – and in your private life.