In April, Danske Bank, the largest bank in Denmark, was fined 10 million Danish kroner (£1.1 million GBP) by the Danish Data Protection Agency (DPA) for data storage violations under the EU General Data Protection Regulation (GDPR). The DPA subsequently reported Danske Bank to the police, recommending that the Danish prosecution service impose its own fine for the bank’s violation of customer data storage.
In 2020, Danske Bank self-reported to the DPA that it had identified instances where they had stored personal data for longer than necessary. Despite the bank’s efforts to meet necessary data storage and deletion requirements by the end of 2021, the DPA’s investigation found that this had not been achieved. In more than 400 systems, Danske Bank had not been able to evidence that rules had been laid down for the deletion and storage of personal data, or that manual deletion of personal data had been carried out. These systems contained the personal data of millions of people.
As stated by the Danish DPA, “One of the basic principles of the GDPR is that you can only process information you need – and when you no longer need it, it must be deleted. When it comes to an organisation the size of Danske Bank, which has many and complex systems, it is particularly crucial that you can also document that the deletion actually takes place”.
Danske Bank explained that the reason they had not met data storage and deletion requirements was due to the ‘very complex’ and ‘time-consuming’ nature of the tasks. They are currently continuing to delete the data they no longer require whilst waiting for the outcome of this matter.
Implementing GDPR requirements can indeed be complex and time-consuming, however supervisory authorities won’t allow these reasons as justification for not having the correct policies, procedures and oversight in place. This is where Bridewell’s expert knowledge and experience can assist organisations to put measures in place for all of the GDPR principles.
How Can Bridewell Help Your Organisation Avoid Data Storage Violations?
The GDPR explicitly states that the period for which personal data is stored should be limited to a strict minimum. The following will help reduce the risk of holding onto personal data for longer than you should be:
- Data mapping. The first step is to know exactly where your personal data is stored. This can be achieved through a data mapping exercise, which is a process that helps to assess what personal data an organisation holds, where it’s held, the purposes for which it is held, and who it is shared with. This will also bring awareness to areas where data that is no longer needed may be held.
- Setting out retention policies and procedures. Once you have a clear idea of where your personal data is, you will then need to set a time limit (retention period) for how long you will keep that data. The GDPR does not set specific retention periods for personal data. Instead, it will be up to the organisation to decide how long they require the data in the absence of a statutory retention period. Retention policies and procedures help document the types of personal data held, what it is used for, the retention periods, and the justification behind each retention period. Once the data has reached its retention period, the data will need to be permanently deleted or fully anonymised.
It may be useful to put measures in place for systems to automatically delete data once a retention period is reached. This type of auto-deletion process will not only ensure that data is deleted at the appropriate time, but is evidence of the kinds of technical and organisational security measures that consider ‘data protection by design and by default’.
Additionally, as noted above in the DPA’s statement, a record that the deletion of personal data has taken place should be kept.
- Performing audits. Carrying out audits of personal data processing in every department of an organisation is a key component of a strong data protection programme. Such audits will identify personal data that is no longer required or that has reached the retention period to ensure that individual departments are complying with your organisation’s Retention Policy and should incorporate formal spot checks to ensure that personal data is not being retained for longer than agreed.
The GDPR principle of ‘storage limitation’ is one of six data protection principles that companies and organisations are expected to adhere to. If you want to have expert knowledge and experience guide your data protection program, Bridewell is here to help.