Joakim Hvalby
The problem for most organizations is not the lack of data; Rather, too much unsorted data that really should have been deleted a long time ago. But as more and more organizations move to cloud-based data storage, there’s no longer a lack of capacity – and then there are many who do not prioritize their erasure routines.
The guidelines of the responsible authorities are clear: Personal data may be stored for as long as needed for the purpose of the processing of personal data to be fulfilled. When the personal data is no longer needed for the purpose, it must be deleted or de-identified (obscured). This is a typical example of organizational tasks, related to risk, not being prioritized. Therefore, it’s a good idea to introduce routines for deletion of personal data.
Personal data that must be saved
Routines for the deletion of personal data don’t mean that everything should be deleted right away. In some cases, documents containing personal data need to be kept longer. This applies, for example, to accounting, where the Accounting Act imposes other requirements on how long certain documents are to be stored. But here too routines are needed. A good tip may be to store the documents in such a way that they are no longer available in day-to-day operations, that is, segregate the personal data by separating the documents.
After five years with GDPR, this is something that we really should know. But still often forget.
We have now launched the 2023 version of GDPR and Privacy Protection where we use NanoLearning as a method to create awareness every day of the year. Because in the end, functioning privacy protection also depends on us as users actually thinking and acting with the protection of personal privacy as part of our business. That we do not save user data longer than necessary. That we clean our databases, even if we technically have the capacity to store the information indefinitely.
