Restructuring your data retention practices: what you should be thinking about


GDPR and POPIA regulation has made it imperative for companies and product developers to think about restructuring their data protection systems.

Regulation can protect individuals and communities from harm and misuse of data, and help maintain the trust that enables innovation and change.

This is a quote from Google’s Framework for Responsible Data Protection Regulation, which was published way back in 2018. Of late, it may seem fashionable for companies to restructure their data retention practices, but it has been a long time coming.

Recently, Google announced changes to its data retention practices which included new privacy improvements to some of its products. Amongst the changes is a default auto-delete function which automatically removes user data after 18 months, access to your privacy settings was made easier, and Google will now provide you with a summary of your account security settings.

On 22 June 2020, the Presidency announced the long-awaited commencement of the crucial sections of the Protection of Personal Information Act, 4 of 2013 (POPIA).

This has made it imperative for companies and product developers to think about restructuring their data protection systems. You may have heard the term “Data Protection by Design”, which is dealt with in Article 25 of the General Data Protection Regulations (GDPR) of the European Union. The principle envisages that methods for data protection are to be built into any data processing activity. While POPIA does not make reference to this specific terminology, it applies the same principle. Here is a list of things you should be considering when deciding how to restructure your data retention systems and procedures:

1. Only ever ask for data that you really need to assist your customer

This is a legal requirement in terms of POPIA and the GDPR. For example, a hospital may require extensive information regarding your medical history and contact details of family members but signing up for a satellite television service may not.

2. Only ever keep data that you will need to assist customer in an ongoing business relationship

Keep your data base as clean as possible. The more information you keep, the more difficult it becomes for you to keep track of and audit it. Keeping unnecessary information increases the risk to your business in the event of a data breach.

3. Think about the nature of your business, the legal requirements, and any other obligations you may have to retain personal information collected and tailor your retention practice to suit your firm.

Your business may require you to process credit card transactions. Depending on where you are in the world or where you are conducting business, there may be a legal requirement to retain the transaction information. Another example is the Financial Intelligence Centre Act 38 of 2001 (FICA), which requires certain businesses to retain information relating to client identities. If you are obligated to retain personal information, then you must ensure that you meet the applicable legal requirements. Where products are supplied through online retail hubs, the supplier usually does not receive personal information of the customer, and the online hub then assumes responsibility for information collected.

4. Setting a time period for the retention of any personal information

Both in terms of POPIA and the GDPR people have a right to access and request the removal of their personal information from the records of an organisation. After a reasonable amount of time, the retention of personal information may become unnecessary, depending on the services your business offers. To prevent the retention of unnecessary information, it may be useful to put a system in place that automatically reviews personal information held and removes unnecessary information after a certain period.

5. Make your policy user-friendly

Data protection is about trust. It is about a culture of respecting personal information. Allowing customers access what you know about them is an important aspect of that trust. A company should be clear about the data it is retaining and the purpose for which it is being retained, by having an easy to understand data retention practice.