Humans have an innate nature to codify their experiences. We codify our experiences in the form of memories within our memory banks to ensure that we can reconnect with them, identify them and to cherish them.
It is this pursuit of our desire to codify everything which has led to the datafication of societies. Data is a medium that enables the codificatiaon of our identities and experiences, and then this data can be further pruned to generate intelligence from it for the overall benefit of society.
With the ever-increasing data points that define us and our choices, the enterprises are enabled to create value through data collection, processing, and storage. With the computational, storage and better analytical capabilities at their disposal, they are well positioned to store excessive amounts of personal data and to process it as well.
Numerous personal data protection regulations, standards and frameworks have put forward their principles that state the requirement of storing the personal data only until its utility period or until there exists its legal basis. However, it is concerning that the objective still remains a utopian concept for many.
Data retention is an important concept that needs to be applied to ensure the objectives of the storage limitation are upheld. Principally, the data retention is the act of storing the personal data within the Information and Communication Technology ICT) infrastructure for organizational usage but since some technical taxonomies and nomenclatures have been defined since the pre-privacy era, they fail to capture actual essence. We therefore see in the industry that data archiving is held and identified as a standalone concept from data retention even though both exhibit the act of storage. It’s important to realize that archiving is synonymous with retention.
The differentiation created using nomenclatures as data retention and archiving divorces the fact that in both the scenarios the act of data storage continues to take place. Therefore, if an organization has moved the data from retention infrastructure (online environment) to an alternative environment deemed as archived data, that does not eliminate the risks of personal data exposure or unauthorized processing or storage. Any data therefore stored (retained) in any environment without any legal basis is therefore deemed unlawful and violates the personal data protection principle of storage limitation.
It is therefore being proposed here that data retention should be deemed as online and archival storage of the data into separate infrastructure components. The online data is the warm or hot data on which the revenue stream is dependent on. If this data is impacted it will adversely affect the data subjects and the organization’s ability to create value.
However, the archived data is the refrigerated data or cold storage data on which the business revenue stream is not dependent, however such data needs to be retained either for fraud or other investigation purposes. Additionally, if such personal data is also exposed or compromised, then it may bring about adverse consequences for the data subjects.
It’s important to take a hypothetical scenario to unpack the constituents of the storage limitation principle and see how the principle of storage limitation can be applied in practice.
Consider a hypothetical product named “Financial Risk Indulgence Score” that provides a score to the credit card companies for the consumers that utilize the credit card. The company develops an underlying algorithm that will calculate the risk score and it requires a maximum of three years of personal spending records to generate a credible risk score. Additionally, the credit card companies are also mandated to maintain consumer spending records for up to five years through a regulatory instrument.
Taking into account the above requirements, the retention period (including archive) can be considered as five years and it be broken down into the following manner.
| Driver For Data Retention/Storage | Period |
|---|---|
|
Business Obligations |
Maximum of three years. |
|
Regulatory Requirement |
Maximum of five years. |
The above business requirements must be translated into the IT design to ensure that business regulatory requirements are fulfilled along with the principle of storage limitation.
| DATA LIFECYCLE STAGES |
||
|---|---|---|
| ONLINE ENVIRONMENT | ARCHIVED ENVIRONMENT | DISPOSAL |
|
(Latest data up to three years) HOT DATA |
(Any data which is older than three years but not older than five years) COLD DATA |
Any data that is older than five years from its inception must be disposed of. |
Designing the retention scheme of personal data in the above proposed manner has the following benefits:
- Better business resilience
The data stored in online environment is hot/warm data on which the business revenue stream is dependent upon; therefore, in case of a crisis or business outage, it is always easier to restore the data which is smaller in size. In the above example, restoring the three-year data from backup requires less time than restoring five years of personal data.
This ensures that the personal data is easily available for use or for providing services to the customers.
- Reducing risk of personal data exposure
When an organization splits and segregates the storage/retention of personal data into two separate environments as online or archive, it mitigates the risk of personal data exposure. The storage of all personal data without any regard for hot/cold data nature centralizes the data and therefore a threat actor has a single source to compromise and lay their hands on a bigger chunk of personal data.
Also, by segregating the personal data into online and archived environments and implementing the principles of segregation of duties you can further reduce the risk surface where individuals who manage the infrastructure containing online data should be prevented from accessing the cold data contained in archived environment. Or, there can be administrative procedures created to ensure that cross referencing of personal data is controlled and driven only by a lawful purpose.
When the personal data is physically, logically or administratively segregated then it creates more hurdles for the threat actors to lay their hands on the personal data of the individual.
- Operational efficiency
The online data requires more rigorous and frequent backups since the changes to such data are more frequent than the data that needs to be archived. An organization may avail luxury of taking backups for archived data on a much lesser frequency, thus reducing the human effort and computational cycles.
It is important to reiterate here that the data retention period identified within the privacy notice is a commitment towards the individuals/data subjects and hence the personal data must be securely disposed of at the end of the retention period. If the personal data is not securely disposed of at the conclusion of the retention period, then it defies the essence of storage limitation principle and compromises on the rights of the individuals.
If the organization wishes to retain the personal data indefinitely, then it must be guarded on a sound legal basis or such personal data must be safeguarded by adequate controls.
About the author: Muneeb is a Privacy & Information Security Consultant with a forte in Strategy, Program development, Governance and compliance. Based in Middle East region, he has worked with different clients from financial, governmental and telecommunication sector to help them in developing and implementing Cybersecurity and Privacy program in accordance with their regulatory, legal and compliance requirements.
He has contributed with his knowledge and expertise through various writings, podcasts, policy reviews, and conference appearances.
For more details, visit: https://www.linkedin.com/in/muneebimranshaikh/