Implement a policy for managing the retention period of your data. It is a legal obligation to limit storage and use to strictly necessary. Choucroute is doing this. This is our product news.
Why define the data lifecycle and apply retention periods?
It’s party time at the Choucroute company’s premises. They are celebrating the implementation of a mega data lake that will aggregate all customer and prospect data collected by each internal service:
- Customer profiles, contact details, names, first names, lead or complaint forms;
- Quotes, invoices, contracts, purchase orders;
- Online navigation data, real-time tracking by GPS navigation data.
DMP, CDP, CRM… all the group’s tools will be plugged into this database. Each department will use it for its needs.
If you ask an employee if retention periods are applied, they will tell you that in Choucroute, everything is good. Nothing is ever thrown away…
- Because it’s the law, personal data is not stored for pleasure or because it might be helpful someday. A specific purpose is defined, and the data is used for the necessary period and then deleted.
- Because if the database is ever hacked, it will be less data captured for the hacker. Not that our DPO doesn’t trust his company’s cybersecurity policy… but it’s better to limit risks.
- Because it avoids complaints if a customer asks to have their data deleted, it’s not to discover a few months later that it was still being kept.
- Because there is no point in prospecting someone who doesn’t like or no longer likes Choucroute.
- Because it’s good for the planet, every stored data requires energy consumption, bandwidth, and servers. It’s better to keep only the most valuable data in Choucroute.
How to implement retention periods?
At Choucroute, they had a simple image of a data lake. A vast pool, pipes that bring in data flows. And everyone comes to get what they need from it.
Armed with a copy of the CNIL guide from July 2020 on retention periods, our DPO wanted to implement a data lifecycle. It’s necessary to comply with GDPR.
- The developers explained to the DPO that this data lake was a bit like a pool without the drain plug at the bottom that was used to empty the water. So he asked them to plan automatic data purge routines. He will come back next week to make sure they understood the request…
- He asked each internal department and each service provider to document everything: which are the user services? What are the primary purposes for using the data? What data is used?
- He questioned each department’s employees. He wanted to know: Is this data used? Why? How long is it retained?
Everyone had to negotiate the right to keep each piece of data for a certain period. Naturally, this put an end to some dreams:
- Some already imagined walking around the halls with a suitcase full of copies of identity cards. But now, documents will be deleted once the client’s identity is verified…
- In the marketing department, they are proud of their database of 10,000 prospects. It has been five years since anyone has read the newsletters, but still… After the purge, 200 contacts are not as sexy anymore.
- No one will experience the thrill of accessing a data table containing clients’ banking details. So, Choucroute Online will be an e-commerce site that secures its customers’ data.
- “Everyone will only have their share of Choucroute”! From now on, data access will be reserved for authorized services and service providers and only to the extent of what they need. Data used for business purposes will be stored for a specific duration.
“No Choucroute without lawyers,” exclaimed the outraged lawyers. The data will not be deleted at the end of the retention period, but business teams will no longer have access to it. It will be archived in an intermediate archive database. In the event of a dispute, lawyers will be able to obtain the necessary data from administrators:
- who have kept this data in the same database but are now the only ones accessing it;
- or who have moved this data to a separate server from the active database and are the only ones with access rights.
- Once the retention periods corresponding to business needs and the period for archiving data for a legal period have passed, the data will be deleted or anonymized.
What retention periods to apply?
Building a retention period policy means keeping a repository up to date.
To determine relevant periods, you can rely on the following: