Achieving GDPR Compliance Using Entity Based Retention
Organisations across industries are grappling with the complexities of data retention policies, particularly in the context of ever-evolving regulations like GDPR. Data retention is not a new idea, and IT departments have been managing data based on retention policies for decades. However, most organisations steered away from proactively deleting data as the incentive to delete data when it was no longer required was limited. Enter GDPR, which mandates exactly this; organisations must now delete personal data once there is no longer a valid justification for storing it. Compliance to the regulation is important to avoid the risk of associated fines, but this also reduces the risk associated with data loss and reduces the chance of data being used inappropriately.
The nature of the right to be forgotten and the principle of storage limitation necessitate a departure from traditional retention methods based on document age to a more nuanced approach that centres around what – or more specifically who – the data is about; types of entity, such as customer or employee, and their attributes.
In this blog, we will delve into the intricacies of entity-based retention, using a case study to shed light on how this innovative approach can transform data management and help ensure GDPR compliance.
What is entity-based retention?
Simply put, entity-based retention is a data management approach that focuses on the retention of data based on what or who the data is about – the entities that are referred to in the data. Instead of retaining data based on when it was created or last modified, entity-based retention considers the relationships between different pieces of information in the data and known entities. We look for evidence showing us who the data is about.
This approach introduces a new ability that helps to meet the specific duties around removing personal and/or sensitive data which are no longer required, which are a requirement under GDPR legislation.
Correlation: The key to success
Entity-based retention builds a map capturing where the entities can be found in the data by correlating against a master list while scanning. This map can then be used to search for the data you need to fulfil specific tasks like determining which files contain information about customers who should have been forgotten under your application of the GDPR regulations. It is a powerful approach for structured data stored in databases, where you can reliably predict the type of data in a column of a table based on looking at a relatively small sample.
However, when dealing with unstructured data, such as files scattered across various folders, correlation becomes more challenging. In such cases, the approach can still be effective if targeted at folders known to contain the type of data you are looking for.
Case study: How entity-based retention helped a leading financial institution address GDPR legislation
We helped a leading UK challenger bank with 1200 users and 200 data sources, including a large DB estate with highly variable types, address their data retention policies. Like many financial institutions, they found themselves in a fix with respect to GDPR and data retention. They had diligently set up a data retention policy, as required by the regulation, but there was a critical issue: implementation.
When an external audit identified gaps in how they managed their data governance, they were asked to prove that they could identify and delete all customer information a set period after they have ceased to be a customer.
However, our customer had no way to identify which data contained references to those specific customers who were now outside the retention period so that they could remediate or remove those data. They also had limited resources and expertise internally to deliver this project within the timeframes needed.
This is where entity-based retention stepped in. It enabled the identification of data based on who it refers to, thus allowing us to pinpoint the exact data that must be removed.
A new era of data retention
GDPR is ushering in a new era of data retention. This regulation imposes stringent requirements on how organisations handle personal data. One of its core tenets is the principle of storage limitation, which means that personal data should not be retained longer than necessary for the purposes for which it was collected.
Entity-based retention provides the technology to implement the resulting data retention policies that need to be based on who the data is about, not how old the data is. This not only ensures compliance with GDPR but also enhances data security and privacy, fostering trust among customers and partners.
In conclusion, entity-based retention represents a shift in the way organisations manage and retain data. It goes beyond the simplistic approach of using document age and focuses on the entities to which data relates. While it is a powerful strategy for GDPR compliance, its benefits extend to overall data governance, security, and customer trust. In an era where data is both an asset and a liability, leveraging entity-based retention is essential for organisations aiming to thrive in the data-driven landscape.
Curious how to get the most out of your organisation’s data? Our dedicated team of experts stand ready to assist:
In the meantime, here are other useful resources: