Even according to the Data Safety Instruction, companies and organizations must not carry on storing and handling private files for any longer than is required. The same will apply when the General Data Protection Regulation (GDPR) comes into effect on 25 May 2018.
Simply because the general requirements aren’t changing doesn’t mean that businesses must not take any action. People will have better rights concerning access to their private data when GDPR turns into a reality. These better rights imply that it makes logic for businesses to check the data they possess and check their handling and deletion procedures.
Why does this make logic?
Modifications like decreased periods to cope with a system access request (SAR) imply that it pays businesses to make sure that all of the files they handle is rationalized. In any case, the fewer data that is possessed, the less time it requires to handle a SAR.
How must long data be saved?
There might be official or legal causes why private data is being saved and can’t be erased. These causes can even supersede a person’s entitlement to be forgotten which will exist as per GDPR. If these causes don’t exist, private data must only be stored for as long as it is required, having respect to the original cause for gathering the data. For example, data must no more be handled if an agreement has been completed, or if a person has withdrawn approval.
Businesses must be getting ready for GDPR, by taking the collection of the data they are handling, studying retention times and erasing data correctly, by eliminating all data from its documents, or by eliminating those matters of data which empower a person to be known.