Elaine Comyn Elaine comyncastlebridge ie Elaine Comyn Data

Elaine Comyn Elaine. comyn@castlebridge. ie @Elaine. Comyn • Data Protection compliance and training: clients include public service transport, public and private utility providers and charity sector • 2018 Professional Certificate in Data Protection from UCD as part of MSc in Compliance • Various cross-functional marketing functions over the past 17 years in the telecoms sector • DPO for the ISPCA

Your Data Retention Policy Shred Focking Everything? Elaine Comyn © Paul Howard

“Retain data for XX years or face fine” “Why have you deleted my data? CONSPIRACY! Why do you still have my data? BREACH! Don’t delete that data object, our dept. has to retain it

www. spaceotechnologies. com

…about my Data Retention Policy? “What is clear from the judgements of the CJEU, is that each controller has to itself consider its retention periods for data. A retention period that may be lawful and appropriate for one controller will not be for another” Kelleher & Murray, EU Data Protection Law, 2018, p. 148

…’s data are you retaining? • Employees • Interns • Customers • Suppliers • Contractors • Patients • Service users • Detainees/Suspects • Citizens etc.

Why? Why? Art. 5 - Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed…

7 Further guidance in Recital 39: The personal data should be adequate, relevant and limited to what is necessary for which they are processed… 8 …ensuring that the period for which the personal data are stored is limited to a strict minimum. 10 In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

…is all the data? • Systems • Memory sticks • Shared files • e. Mails • Cloud • Notebooks • Filing cabinets • Drawers • Off-site • With Processors

…knows where it is? • IT • Finance • Customer Care • Marketing • Payroll • Billing • HR • R & D • Retail • Legal & Reg

Review for necessity/proportionality

S. I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011.

Data Subject Rights “The question is less what can be preserved but more, what should not be lost? ” Digital Preservation Coalition

Art 30: Record of processing activities

Department Data Subject(s) Process/Record Type What personal data Special category? Purpose Volume Where stored? Legal Basis Retention Period Justification Third party sharing? Secondary use/Sharing Offshore transfers?

Governance is key The overall structure of data and data-related resources Analysis, design, building, testing, and maintenance Defining, monitoring, maintaining data integrity, and improving Structured physical data assets - storage deployment and management What metadata to be captured? Integration procedures Ensuring privacy, confidentiality and appropriate access Enabling access to decisionsupport data for reporting and analysis Standard methods and tools for integration and interoperability, including extraction, movement, replication Managing shared data to reduce redundancy and ensure better data quality through standardized definition and use of data values. Storing, protecting, indexing, and enabling access to data found in unstructured sources The DAMA-DMBOK 2 Data Management Framework (the DAMA Wheel

Governance is key Local policies & procedures Aligned with and enabled to support central strategy Data indexing Discoverable needed e. g. legal hold when Data extraction CENTRAL Information Retention Policy/Group created with standards and schedule Ability to extract relevant data for archive/deletion in a timely manner Secure archive or when retention secure delete timelines per policy are met

Exceptions IF… . . THEN

“A Data Retention Policy” “Wobbly is a private company that provides public access unicycles. This policy outlines how your personal data is stored, for how long, why, and, when applicable, destroyed. It outlines the legal bases upon which we hold your information and your rights in relation to the retention of your data. ” • The purpose of this policy. . . [regulatory, corporate, legal] • The effective date. . . [and will be reviewed periodically] • Definitions…. [“media”, “records” “DPO”…] • Scope includes… [this policy applies to…employees, contractors, service providers etc. ] • Records Retention… [per policy schedule] • Security & destruction… [methodologies] • Questions? …[here’s our DPO] Contd…

“A Data Retention Policy” Dept. Process/Record Type: Retention Period Retention Basis Marketing Consent Record: e. Mail, Until they unsubscribe or if no contact by Marketing, 12 months SMS, Call SI 336 e. Privacy Directive 2011 Accounts Payable DD payment record Two months from last Direct Debit payment date. Restrict access for a further 11 months (i. e. 13 months in total) Refunds of variable direct debits which exceeded expected amount can be requested from banks up to 8 weeks after payment. Disputes about unauthorised transactions can be lodged up to 13 months after the transaction date Payroll Record Current financial year plus 6 years (or to end of tax enquiry, if longer) Income Tax (Employments) (Consolidation) Act 2001 All e. Mail Organisation decides – what is necessary and proportionate Email should not be used as a filing system and emails should be deleted regularly – impose size limit

In summary • Start simple – don’t boil the ocean • Your policy is unique to your organisation • Get together and work through your who, what, where, when, why and how – it’s good to talk and sticky notes can be fun • Ensure the right people be able to access the right information at the right time? • Agree clear internal guidelines and methodologies of what personal data is to be kept, why and for how long • A policy is just that – a document. Make sure you can walk the walk

Shredding Focking Everything is one option, but not your only option. © Paul Howard

@Rawpixel cv cv Return it Archive/Anonymise it cv