The General Data Protection Regulation (GDPR) covers both the processing and the storage of personal data. BI teams need to develop and enforce the policies for both of these responsibilities to reduce the potential for the mishandling of personal data, and to respect the rights and honor the requests of the data subject.
The “right to erasure” is arguably the most difficult of these data subject rights to implement, partly because the right is not absolute, and partly because deleting data is not a “normal” activity for data handlers.
The right to erasure is not absolute, because other regulatory requirements may take precedence. If an EU data subject requests data erasure, you need to respond within a month to indicate which data can be erased, and which must be retained according to the provisions in Article 17 of the GDPR, specifically:
a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
e) for the establishment, exercise or defence of legal claims.
Deleting data is counter-intuitive for those whose function it is to accumulate, sort and analyze it, but it is also true that deleting data may cause data integrity issues. Blocking the data may be more efficient, but means that administrators will be able to reverse the operation. You may require legal advice as to whether such a strategy is valid.
The right to erasure is also not your only obligation with regard to whether or not to retain data. If the purpose for collecting and retaining the data is no longer valid, then neither is the data’s retention. This may be especially important for data within the “special categories” defined in Article 9 of the GDPR.
What does all of this mean for BI teams?
Your organization needs to enforce strict practices for retaining and erasing data according to the rules laid out by the GDPR. These practices need to be embedded into your BI system storage strategy, and may include techniques for anonymizing and pseudonymizing data.
In a recent webinar, APOS Solution Consultant Alan Golding summarized the data retention capabilities needed by BI teams with the following questions:
- What is the purpose of and audience for the report containing personal data?
Establish retention policies that respect the rights of the data subject.
- What are the retention policies and regulatory requirements for the retention of personal data?
Establish and automate a storage strategy that codifies your retention policies.
- Are structured retention processes required?
Enable audit and data inspection capabilities.
Note: this post is the fourth in a series of posts on the GDPR, including: