Before we jump into what Data Retention and Storage Limitations means within General Data Protection Regulation (”GDPR”), I think it’s important to properly define these two items and give some insight into how this affects everyone on a day to day basis. At the heart of both of these concepts is personal data, where now every app you download, every tool you use, and every solution brought into your company has to understand how to properly manage and dispose of personal data. In this next blog in our GDPR Series, the discussion will be centered around Personal Data and what this means in the context of Data Retention and Storage Limitations.
Data Retention is defined as the storing of information for a specified period of time. On a personal note, data retention can be found when storing data on a phone. You may have a certain amount of storage and sometimes that limit can be reached if there is no proper procedure in place to backup, migrate, and dispose of such data. I’m sure you may have experienced that moment when you no longer can take a picture as the awful error pops up: “iPhone storage data almost full.” One easy way to fix this error is to create a data retention policy where anything over a specified period of time will be deleted. In this case, you can set daily, weekly, monthly, yearly, etc. data retention policies.
In the context of businesses, the same principle applies, but data retention is more critical when it comes to following regulations and policies such as the GDPR. As a refresher, the GDPR is a regulation passed by the European Union (EU) that sets strict standards for the collection, storage, and processing of personal data. Data retention policies are important to the GDPR compliance because they help organizations to ensure that they are not keeping personal data for longer than necessary, namely storage limitation, which is one of the key principles of the GDPR regulated under Article 5 of GDPR.
A data retention policy also helps organizations to comply with GDPR’s right to disposal, also known as the “right to be forgotten,” which gives individuals the right to have their personal data deleted when there is no longer a legal or legitimate reason for it to be retained. Having a clear and well-defined data retention policy in place makes it easier for organizations to identify the specific data that needs to be deleted when an individual makes a request to have their data erased.
When dealing with video surveillance systems and security cameras, the video footage, which includes personal data should not be maintained any longer than is strictly required for the desired outcome.
Furthermore, GDPR’s Article 30 states that companies must keep records of the categories of processing activities and the retention schedule. This also emphasizes that having a data retention policy is crucial for GDPR compliance. Data retention policies also provide a way to ensure that data is deleted in a secure and controlled manner, so that it cannot be accessed by unauthorized parties. This helps organizations to comply with the GDPR’s requirement to protect personal data from unauthorized access and unauthorized or accidental destruction.
Intenseye’s data storage is limited to specific types of data such as thumbnails and video clips for positive alerts only. These pseudonymized video clips are only used for contextual purposes and thus are limited to 15 seconds. This limitation provides customers with just enough context without compromising GDPR.
A data retention policy is a document that outlines how long specific types of data will be kept and when it will be deleted. The best practices for creating a data retention policy include:
- Conduct a data audit: Understand what data your organization collects, stores, and processes, and classify it based on importance, legal requirements, and regulatory compliance.
- Understand legal and regulatory requirements: Different types of data are subject to different retention requirements. For example, financial data needs to be kept for a certain number of years to comply with tax laws, while personal data needs to be deleted when it is no longer needed for the purpose it was collected.
- Consider the data’s value: Retaining data indefinitely is not always necessary. Determine how long the data is needed for business or legal purposes, and delete it after it is no longer needed.
- Have a data deletion plan: Once the retention period for data has ended, a plan must be in place to delete it securely and permanently.
- Review and update: A data retention policy should be reviewed and updated regularly to ensure it remains in compliance with legal and regulatory requirements and align with the organization’s changing needs.
- Communication and train the related parties: Make sure to communicate the data retention policy to all relevant employees, contractors and vendors and make sure they are trained on data retention and deletion requirements.
- Monitoring and Auditing: Regularly audit data storage and processing activities to ensure compliance with the retention policy and promptly address any non-compliance issues.
Remember that data retention policies should be flexible and be able to adapt to the changes in business operations, technology, and legal and regulatory requirements.
As Intenseye, we can comply with our customers’ data retention policies. The data retention period is easily configurable on Workspace Settings of the Intenseye Dashboard. It can be set between 3 and 730 days according to our customers’ data retention policies. Once the retention period is exceeded, the evidence media (alert images and videos) are deleted, but the analytics are kept in a fully anonymized format for the historical data analysis.
Data retention and storage limitations are important considerations under the GDPR. The GDPR requires organizations to take appropriate technical and organizational measures to ensure the security of personal data, including implementing appropriate data minimization and storage limitation practices. Organizations must only collect and store the personal data that is necessary for the specific purposes for which it is being processed, and should not retain that data for longer than is necessary. This means that organizations must consider the appropriate data retention period and implement policies and procedures to ensure that data is deleted when it is no longer needed. By limiting the amount of data stored and ensuring that data is only retained for as long as is necessary, organizations can help protect the privacy of individuals and comply with the requirements of the GDPR.
Stayed tuned for our next post within the GDPR and Video Surveillance blog series, where intenseye’s CTO Serhat Çillidağ will explain the importance of the Organizational and Technical Measures for Personal Data Protection!