The General Data Protection Regulation (GDPR) is a regulation that went into effect in the European Union in 2018. It imposes strict requirements on companies that collect, process, or store the personal data of EU citizens. One of the key aspects of GDPR relates to how personal data is stored.
Data storage is crucial for GDPR compliance because it directly impacts data security and the rights of data subjects. Under GDPR, personal data must be processed lawfully, fairly, and transparently. Companies must collect only what is necessary, ensure accuracy, limit storage times, and protect it from unauthorized access or transfer (Data protection under GDPR – Your Europe).
Key data storage principles under GDPR include data minimization, purpose limitation, storage limitation, integrity and confidentiality. Companies must implement data protection by design and default to embed these principles (GDPR and Data Storage Management). Proper data storage procedures are crucial for GDPR compliance and protecting EU citizen rights.
Lawful basis for processing data
Under the GDPR, there are 6 lawful bases for processing personal data:
- Consent – the individual has given clear consent for you to process their personal data for a specific purpose. Consent must be explicitly given and recorded. Individuals have the right to withdraw consent at any time.
- Contract – processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation – processing is necessary for you to comply with the law.
- Vital interests – processing is necessary to protect someone’s life.
- Public task – processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests – processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Of these, consent and legitimate interest are two of the most common lawful bases relied on. Consent requires clear affirmative action from the individual to opt in, while legitimate interest involves balancing your interests against the individual’s.
Legitimate interests can apply when you use people’s data in ways they would reasonably expect and which have a minimal privacy impact. However, it does not apply if you can reasonably achieve the same purpose without processing personal data.
For special category data, you must identify both a lawful basis under Article 6 and a separate condition for processing under Article 9 of the GDPR.
Data minimization
One of the key principles of GDPR is data minimization, which means that organizations should only collect and store the personal data that is strictly necessary for the specified purpose. As stated in Art. 5(1)(c) of the GDPR, “Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”
The principle of data minimization aims to limit the amount of personal data collected and stored by organizations, as excess data increases the risk of a data breach. Organizations should carefully evaluate what data they actually need to fulfill their specified purpose. Any data fields that are “nice to have” but not essential should generally be avoided.
In addition, organizations must delete personal data once the purpose for collecting it has ended and retention is no longer necessary. As noted in the ICO’s Guide to the Data Protection Principles, individuals have the right to request deletion of any incomplete or unnecessary data under GDPR.
In summary, organizations must limit data collection to the bare minimum required for their specified purpose and delete it promptly once it is no longer needed. This minimizes privacy risks and demonstrates accountability under GDPR.
Consent Requirements
The GDPR sets out strict requirements for obtaining valid consent from individuals for processing their personal data. Consent is one of the lawful bases for processing under the GDPR and is defined in Article 4(11) as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
For consent to be valid under the GDPR, it must meet several criteria according to GDPR.eu:
- Consent must be freely given – it cannot be bundled up as a non-negotiable part of terms and conditions.
- Consent must be specific – it must relate to a defined processing purpose.
- Consent must be informed – individuals must understand what they are consenting to.
- Consent must be unambiguous – it must be obvious the individual has consented through a clear affirmative action.
Additionally, under the GDPR individuals have the right to withdraw their consent at any time. Organizations must have processes in place to facilitate this as simply as the process to provide consent according to GDPR-info.eu.
Data subjects’ rights
The GDPR introduces several new rights for individuals, including the right of access, rectification, erasure, restriction, portability and objection [1]. These rights aim to provide individuals with more control over their personal data.
The right of access gives individuals the right to obtain confirmation from a data controller as to whether their personal data is being processed. If so, the individual can request access to that data [2].
The right to rectification allows individuals to have any inaccurate personal data corrected. The right to erasure, also known as the “right to be forgotten”, enables individuals to request the deletion of their personal data if certain conditions are met [3].
The right to restriction allows individuals to limit the processing of their data in specific cases. The right to data portability gives individuals the right to receive their personal data and reuse it for their own purposes.
Finally, the right to object enables individuals to object to the processing of their personal data in certain circumstances [2]. These rights aim to shift more control over personal data to individuals under the GDPR.
Data protection by design
Data protection by design, also known as privacy by design, refers to building in data protection principles from the start when designing systems or processes that involve personal data processing. Privacy by design is a key requirement under the GDPR as outlined in Article 25.
Some key privacy by design principles include:
- Data minimization – Only collect the minimum amount of personal data necessary
- Transparency – Be clear, open and honest with individuals about data processing
- User control – Give individuals more control over their personal data
- Security – Implement appropriate technical and organizational measures to protect data
- Storage limitation – Keep data only as long as necessary
By considering data protection from the initial design stages, organizations can build in privacy in an effective, sustainable manner. Technical measures like encryption, anonymization, and pseudonymization can help implement privacy by design. Organizational policies and training are also important. Following privacy by design principles helps demonstrate GDPR compliance.
As noted in the ICO’s guidance, “The UK GDPR requires you to integrate data protection concerns into every aspect of your processing activities. This approach is ‘data protection by design and default’.” [1]
Record keeping
Under the GDPR, organizations are required to maintain records of their data processing activities. Article 30 of the GDPR states that records must include the following information:
- Name and contact details of the data controller and any joint controllers
- Purposes of the processing
- Categories of data subjects and personal data processed
- Categories of recipients the data is disclosed to
- Information about cross-border data transfers
- Time limits for erasure of different categories of data
- General description of security measures in place
These records must be in writing, including in electronic form, and must be made available to supervisory authorities upon request. Maintaining thorough and accurate records is crucial for demonstrating GDPR compliance in case of an investigation or audit.
Organizations must also keep records of data breaches, as mandated by Article 33 of the GDPR. For any breach that is likely to result in risk to the rights and freedoms of data subjects, controllers must document the facts relating to the breach, its effects, and remedial actions taken. This documentation may be critical in demonstrating accountability to regulators.
According to the GDPR Information Portal, detailed records of processing activities are “one of the most important tools for demonstrating compliance with the GDPR.” As such, organizations should prioritize developing a standardized system for maintaining comprehensive records.
Data security
Article 32 of the GDPR requires data controllers and processors to implement appropriate technical and organizational measures to ensure a level of data security appropriate to the risk. This includes measures such as encryption, access controls, backing up data, and having a process for breach notification.
Encryption should be used for sensitive personal data, both when it is in transit and when it is stored. The GDPR recommends pseudonymization and encryption as ways to protect data (GDPR.eu, n.d.). Encryption scrambles data so that only authorized parties with an encryption key can access it. Encryption protects data if it is lost or stolen.
Access controls, such as multi-factor authentication and role-based access, should be used to limit access to only authorized personnel. Logs should also be maintained of who accesses what data and when (Netsec.news, n.d.).
Regular backups should be performed and tested to ensure data can be restored in the event of an incident like ransomware or hardware failure. Backups should be encrypted and stored securely offsite or in the cloud.
In the event of a data breach, controllers must notify supervisory authorities within 72 hours under GDPR. Processors must notify controllers without undue delay (GDPR.eu, n.d.).
Data transfers
According to the GDPR, personal data can only be transferred outside the European Union if the European Commission has decided that the destination country provides an adequate level of data protection. If the destination country has not received an “adequacy decision” from the Commission, then organizations need to implement specified safeguards to protect the transferred data. These include:
Standard data protection clauses or model clauses (standardized contractual clauses approved by the Commission). As stated on the European Commission website, model clauses offer assurance that the transferred data will be protected according to EU standards and can be used to transfer data outside the EU to any country.
Binding corporate rules (BCRs) for intragroup international data transfers approved by DPAs. BCRs are internal codes of conduct that regulate transfers within multinational companies. As explained by the European Data Protection Board, BCRs must adhere to specific requirements and be approved by an EU Data Protection Authority.
In addition, the GDPR introduced certification mechanisms as a new means of authorizing international data transfers to certified organizations. Overall, organizations need to evaluate the laws of destination countries and implement approved safeguards to ensure personal data remains protected when transferred outside the EU.
Compliance best practices
Organizations looking to comply with GDPR should focus on implementing several key best practices:
Appoint a Data Protection Officer (DPO). Having a dedicated DPO shows commitment to compliance and provides oversight of data practices. The DPO serves as the internal expert on GDPR and the point of contact for data subjects and regulators. Per GDPR guidelines, public authorities, organizations that engage in large-scale processing, and those that process sensitive data require a DPO.
Conduct regular audits. It’s important to frequently audit compliance across departments and systems. Audits help identify any areas of non-compliance and weaknesses to address. Many recommend auditing at least annually.
Provide GDPR training. Training employees regularly on GDPR principles, data handling procedures, breach protocols, and more helps maintain compliance. Tailor training to roles that handle more sensitive data. Refresh and update training to account for changes.
Perform privacy impact assessments. Conducting PIAs on new technologies, systems, or processes that process personal data can uncover and mitigate risks. PIAs help minimize privacy risks and document compliance steps. GDPR mandates PIAs for high-risk processing.