Joakim Hvalby
Program Manager Information Security
Article   December 14 2022

GDPR tip 3: Don't store data longer than necessary

Not all organizations comply with GDPR. Like, for example, not storing data longer than necessary. A first step is to have good deletion routines so that data is not stored longer than needed. Joakim Hvalby, Program Manager Information Security at Junglemap writes in one of four articles with tips regarding GDPR.

Vintage casett tapes in differens colours

Image: License Free

The problem for most organizations is not the lack of data; Rather, too much unsorted data that really should have been deleted a long time ago. But as more and more organizations move to cloud-based data storage, there’s no longer a lack of capacity – and then there are many who do not prioritize their erasure routines.  

The guidelines of the responsible authorities are clear: Personal data may be stored for as long as needed for the purpose of the processing of personal data to be fulfilled. When the personal data is no longer needed for the purpose, it must  be deleted or de-identified (obscured). This is a typical example of organizational tasks, related to risk, not being prioritized. Therefore, it’s a good idea to introduce routines for deletion of personal data. 

Personal data that must be saved 

Routines for the deletion of personal data don’t mean that everything should be deleted right away. In some cases, documents containing personal data need to be kept longer. This applies, for example, to accounting, where the Accounting Act imposes other requirements on how long certain documents are to be stored. But here too routines are needed. A good tip may be to store the documents in such a way that they are no longer available in day-to-day operations, that is, segregate the personal data by separating the documents. 

We have now launched the 2024 version of Privacy and GDPR for all employees. A brand new course with updated content over fewer lessons, but with more interactive touch points giving your organisation's DPO a better understanding of the level of your organisations' awareness.

To increase engagement and awareness, this new course also focuses on why GDPR and privacy is important both at work – and in your private life. 

Joakim Hvalby Program Manager Information Security
Article   December 14 2022