The General Data Protection Regulation (GDPR) has transformed the way companies manage personal data, introducing stringent requirements for data deletion. In accordance with the GDPR, personal data cannot be stored indefinitely, and companies must develop comprehensive deletion frameworks as explained in detail here. However, creating and implementing these frameworks presents significant challenges for organizations. In this article, we explore the most formidable hurdles companies face when developing data deletion concepts.
Lack of Explicit Deletion Definition
The GDPR itself does not provide a precise definition of „deletion“. In a technical context, deletion involves rendering data and its content permanently inaccessible, making it impossible for further processing or recovery. This differentiation between irretrievable deletion, data deactivation, and retrievable archiving is critical and causes confusion to organizations. It is worth emphasizing that designating data records as inactive falls short of compliance with deletion requirements. In practice, the simple deletion of data on drives or in databases from storage devices or databases is regularly sufficient, but achieving true data irreversibility can be complex and resource-intensive.
Absence of a Standard Deletion Template
The absence of a standardized template for deletion concepts poses a significant challenge. Companies often grapple with interpreting complex legal standards like the DIN 66398 and navigate general legal-theoretical texts. The absence of concrete guidelines on how to approach the topic makes organizations struggle to develop and implement deletion frameworks. The challenge is growing for company groups requiring the establishment of a comprehensive global data deletion framework, encompassing the retention requirements of multiple jurisdictions.
Absence of Tailored Documentation
Developing a single, lengthy theoretical document outlining the entire deletion concept is seldom practical. Instead, organizations should pursue developing tailor-made documentation. An example could be a general document outlining the fundamental deletion procedures and terminology, and specific work instructions tailored to individual departments and IT systems. This approach ensures that employees can quickly access relevant information, improving adherence to the concept. The comprehensive document provides overarching guidelines for deletion providing a broad framework for compliance, while the specific work instructions are designed to cater to the unique needs of individual departments.
Ambiguity Surrounding Data Retention Periods
One of the primary challenges stems from the ambiguity of the GDPR regarding specific deletion periods. The GDPR does not specify exact deletion periods or timelines for data retention, rendering it complex to determine when data is no longer necessary for its original purpose. Moreover, the development of the deletion framework would require the collaboration of data protection consultants other legal professionals and tax consultants for the review of the retention obligations posed by statutory laws making the creation of a deletion concept a formidable task for organizations with vast databases and overlooked deletion obligations.
Comprehensive Data Assessment
Formulating a deletion concept necessitates a comprehensive understanding of the personal data processed. This entails identifying the actual personal data processed, where personal data resides, its purpose, and the relevant departments accessing the personal data. Data processing operations vary across companies, making it essential not only to map the exact personal data processed but also to constantly update them.
Absence of a Legal Basis for Data Deletion
Deletion is considered a form of data processing and requires a legal basis. Premature or improper deletion of data that should continue to be stored or actively used according to its purpose can lead to data protection violations. The GDPR’s principle of storage limitation emphasizes that data should only be deleted when it’s no longer needed for its intended purpose. Deleting data unlawfully takes control away from data subjects. Additionally, unlawful deletion carries significant ramifications, especially when dealing with sensitive information like medical records. Such actions can potentially lead to problematic, and in some cases, even perilous outcomes for data subjects.
Crucial Involvement of the IT Department
The IT department in every organization plays a pivotal role in establishing an implementable deletion framework. It is responsible for defining how the technical implementation of deletion can occur, which includes whether it should be manual, automated, or partially automated, and whether data could be destroyed or anonymized. Collaboration between the data protection officer, legal experts, the IT and other departments, and works councils, where applicable, is indispensable. Legal obligations e.g. Art. 87 BetrVerfG might necessitate the input of Work Councils in the process.
Technical Hurdles
In cases of long retention periods, organizations must decide whether to retain the entire dataset or delete data irrelevant to the specific retention period. This partial deletion is particularly complex in systems used globally by a company group. Another data source that complicates the complete deletion of personal data is the use of backups. Furthermore, many organizations employ software systems that lack data deletion options entirely, resulting in indefinite data retention. These systems present a significant challenge for GDPR compliance.
Developing a GDPR-compliant data deletion framework is an intricate endeavor, fraught with multifaceted challenges. Companies must grapple with uncertain retention periods, a lack of universal templates, and the intricacies of data flows, among other obstacles. Collaboration between legal experts, data protection officers, IT departments, and works councils is crucial for a successful implementation. By overcoming these challenges, organizations can facilitate compliance with GDPR, protect data subjects‘ rights, and contribute to a more secure and responsible data deletion framework.
Nicole Folchert
11. November 2023 @ 13:39
Great article with many truths. As an expert in deletion concepts, I know from many customer projects that companies – especially corporations – face exactly the challenges mentioned in the article.
However, creating a deletion concept is not rocket science if the following procedure is followed:
1) Create a transparent IT landscape with all systems that contain personal data
2) Creation or adaptation of the list of processing activities (each type of data must be reflected in the IT landscape)
3) Creation of an overview of the deletion periods per data type
4) Creation of guidelines for manual deletion
5) Project management for automated deletion
6) Handover to regular operation, training of employees