GDPR and POPIA: Data archiving

05 November 2018
Written by Gericke Potgieter

Gericke is responsible for marketing systems management and data analytics at EPI-USE Labs. He is a qualified ISO 27001 Lead Implementer and has an MA in Socio-informatics (Decision Making Theory). He has spent most of his career in IT, strategy consulting and software development.

Missed the previous articles?  Read them here: Article 1 | Article 2 | Article 3 | Article 4 | Article 5 | Article 6

How long can you keep data? In the seventh article in our series on GDPR and POPIA we look at the rules and exceptions for archiving data on systems.  Read on:

“They’re just not that into you”

You haven’t heard back from them in three weeks. It is right about this time the sinking realization occurs that they might just not be that into you. You scroll through your messages and smile at the good times you had. Who knows, maybe they are just busy. For now, you will hold on to their details and archive their messages for future reference.

When a data subject no longer has a purpose on your systems, they would normally need to be removed. However, there is some leeway in both GDPR and POPIA for keeping data beyond its useful lifetime for statistical or archival purposes.

In this article, we will review under which circumstances data may be retained. We will also look at how retention should be balanced against the rights of the data subject.

For archiving purposes

Data may only be retained as long as there is a legal basis for doing so, and/or consent applies. Both GDPR and POPIA allow for data retention for the purpose of archiving, but these allowances are balanced with the rights of the data subject to have their data redacted or removed.

Data retention and the laws

Data retention is bound to two main factors, namely that of the legitimacy of the purpose for processing, and that of consent.

We already know that we need a legal basis for processing, and that consent can be withdrawn, but both GDPR and POPIA provides a specific exception for data retention beyond the expiration of purpose.

GDPR, Article 89, Paragraph 1 states: “Processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, shall be subject to appropriate safeguards, in accordance with this Regulation, for the rights and freedoms of the data subject.”

In Section 14, Paragraph 2 POPIA states: “Records of personal information may be retained for periods in excess of those contemplated in (1) for historical, statistical or research purposes if the responsible party if the responsible party has established appropriate safeguards against the records being used for any other purposes. ”

In both cases, archiving takes the data out of circulation.  Archived data can no longer be processed for any other purpose, and must be kept secure.

GDPR and POPIA - retention exceptions for archiving

Redact or archive; these are the safer options

Archiving is only allowed if it aligns with the stated purposes, and for many of these purposes, the personal data can be anonymized. This creates a problem when it comes to the question of backups and snapshots which will be discussed in our next article.

When it comes to the archiving process, there should be due attention given to both organizational and system safeguards. These safeguards need to address data security as well as prohibiting the use of archived data for other purposes.

If data is retained for statistical purposes only, anonymization is the best route to take.

For the history books

After being duly chastised for letting the weird neighbour store your date’s information, you now make sure that it is all stored safely in the cloud. To get the data back you need biometric access, a pin, and 2-factor authentication. Now to make sure that you don’t forget that pin…

The rule of thumb is this: You can keep data after its purpose expired if you archive it safely. If the data is used purely for statistical purposes, consider anonymization as part of your strategy.

Missed our webinar? View it here for free.

GDPR and POPIA: Free webinar

Are you POPIA compliant?  We recently hosted a webinar that tells you more about:

  • The similarities and differences between GDPR and POPIA
  • How the privacy laws apply over the full data lifecycle
  • An overview of how these laws affect your policies and SAP systems
  • Non-compliance consequences - penalties, fines and personal liabilities
  • An introduction to the EPI-USE Labs GDPR Compliance Suite for SAP

Click here to view it for free.

SAP Knowledge Sidebar

By Jan van Rensburg

Deleting data from SAP systems is non-trivial. With data spread over many different tables and systems, deleting any data can lead to an inconsistent system. Client information, for example, can be stored in ERP, CRM and BW systems. If you decide to archive data as a means of complying with GDPR and POPIA, you have to keep in mind that archiving is still a form of data storage and doesn’t necessarily comply with “right to be forgotten" clauses.

The onus is still on you to prove why you need to retain this data, even when the data subject requested data to be removed, or the lawful basis is no longer valid. In some cases this is clear cut. For financial and payroll information, laws require that you retain data for a minimum period. In most cases the data retention requirement is a complex problem. You might need to keep some data for a longer period, like safety information, while other data like detailed pay information needs to be retained for shorter periods. This means that some data relating to a data subject might need to be retained longer than others, so you have to be able to selectively delete data.

Agreeing on these detailed data retention policies is one of the areas that companies struggle with the most during privacy compliance projects. Once the business rules have been captured in a policy, archiving or a product like EPI-USE Labs' Data Retain can be used to help automate the selective redaction of personal data to ensure continued compliance.

 

 

Explore Popular Tags

GDPR Data Privacy Data Security Data Secure GDPR compliance Data Redaction data scrambling Data Redact General Data Protection Regulation POPI Act POPIA SAP Data Security SAP GDPR SAP data privacy and compliance Data Archiving Data Sync Manager Data privacy regulations Right to be forgotten Data privacy compliance GDPR readiness GDPR deadline Personal data SAP SAP security SAP systems GRC for SAP SAP data privacy and security Access Risk management Access risk controls Data Privacy suite Data minimisation Data security breaches Governance, Risk Management and Compliance (GRC) compliance COVID-19 Data privacy by design Risk monitoring SAP data copying and masking SAR Soterion Subject Access Request anonymised data Australian Privacy Act 1988 CCPA Client Sync Data Protection Day Data masking EPI-USE Labs’ solutions European operations Federal Law GDPR fine Guest order ICO May 2018 Object Sync One-time customer Privacy by Design Reducing risk Right to Erasure Risk minimisation S/4HANA Migrations SAP S/4HANA SAP data privacy & security Secure scrambled production data for testing Test Data Management security breach Backlog privacy debt Black Friday Black Friday hangover Black Friday sales Breach Notification Brexit Budget Canada data privacy legislation Cenoti Cloud migrations Confidentiality Consent DSM DSM Readiness Assessment Data Diclose Data Portability Data Removal Data Replication Data Sync Manager (DSM) Data integrity Data privacy assessment Data processor versus controller Data retention rules Documentation Employee data Europe Friday 25 May 2018 GDPR-type legislation GRC GRC for SAP tools General Data Protection HCM HR ILM Information Commissioner’s Office Information transfer Infotype 41 JSOX New Zealand Privacy Act News Online shopping Penalties Personal Data Protection Law (PDPL) Proportional Data Protect personal employee data Removing data in SAP Right to Access Rise with SAP Risk management S4HANA SAP Cloud SAP Data Privacy Suite SAP RISE SAP SuccessFactors SAP access risk simulations SAP data SAP data encryption SOX Sarbanes-Oxley (SOX) legislation Saudi Arabia Security Security for SAP. Live Sensitive HCM data South African data privacy legislation Success Factors Territorial Scope UK Government User Access Review Virtual conference What does the European GDPR mean for Australia? ebook masking rules quality of test data system copy uk sox
+ See More

Get Instant Updates


Leave a Comment: