Recent enforcement actions by data protection authorities in the European Union demonstrate that they’re more than willing to enforce GDPR Article 5. Take, for example, the experience of a taxi company in Denmark.
This company had data retention and deletion policies in place, but authorities found that it wasn’t properly adhering to them. As a result, the Danish Data Protection Agency recommended a fine of DKK 1.2 million (USD $183,000).
This high-profile fine demonstrates that European authorities are serious about enforcing GDPR. Having the right policies on paper is not enough — businesses need to ensure they’re following through on them, too.
What Does GDPR Article 5 Require?
GDPR Article 5 details the standards organizations have to follow when processing personal data. These standards account for transparency, legitimate data use and security, among other things.
For example, Article 5(1)(b) specifies that personal data may only be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.” GDPR Article 5(1)(c) addresses data minimization by requiring that personal data be limited to what is necessary relative to the purpose for which it is processed. And Article 5(1)(e) — the one that’s most relevant to the taxi company example — specifies that data cannot be stored any longer than is necessary for the purposes it was gathered for.
Failure to Comply
The Danish taxi company maintained that it made personal data relating to customer-ordered taxi rides anonymous after two years by deleting customer names. The taxi company’s data processor, however, still retained other identifiers such as telephone numbers and geolocation information that could link data to an identifiable person. Denmark’s data protection authority concluded that removal of just the person’s name was not sufficient anonymization.
Also putting the taxi company in a bit of GDPR Article 5 hot water in the eyes of the Danish Data Protection Agency was its use of clients’ telephone numbers, rather than a unique identification number, as references in its processing system for an additional three years. Interestingly, the agency rejected the notion that prohibitive cost excused the failure to modify the processing system to use reference numbers rather than telephone numbers. The data protection agency determined that the GDPR Article 5 data minimization requirements had thus been violated.
The Danish Data Protection Agency also decided that shortcomings in the taxi company’s data retention and deletion procedures resulted in GDPR Article 5 violations. The data protection authority pointed out that the regulated community must be able to demonstrate the means by which personal data is deleted in systems and in backup files. Organizations also need to specify exactly when such data is deleted. The data protection agency determined that manually updating deletion logs was not sufficient. As such, the agency recommended a fine for the taxi company.
Takeaways for GDPR Compliance
What this means for the regulated community is that organizations need to have more than a mere paper program for data retention and deletion. That translates into having data retention, deletion and privacy policies on the books, as well as procedures for implementing them meaningfully. Half-baked, less-than-rigorous efforts in this regard are not going to fly with regulators.
Organizations need to protect themselves and the personal data of their customers by implementing thorough policies and procedures. That means developing or updating policies so they’re clear and in conformance with GDPR specifics. It also means modifying systems to adhere to those specs. Equivocating or making excuses will not pass muster with regulators.