Data retention is always a challenge for organisations. Organisation just love retaining data and well, storage is pretty cheap these days. Whilst the costs of getting retention wrong (e.g. not being able to recover from a ransomware attack) are always high; a recent GDPR fine decision in Germany highlights the data retention problem could get a lot more expensive if done badly. If your organisation is a long-standing hoarder of unlawfully processed data? Does it run a non-compliant archiving solution thinking anything implemented pre-GDPR is out-of-scope? Is it implementing new systems without a Data Protection by Design and Default Framework? If the answer to any of these questions is yes, you may be exposed to the risk of a regulatory fine such as the €14.5million facing Real Estate firm Deutsche Wohnen SE.
Background to the Data Retention fine
Translated from the Press Release:
On October 30, 2019, the Berlin Commissioner for Data Protection and Freedom of Information found against Deutsche Wohnen SE (“Controller”) imposing a fine of EUR14.5million for infringements of the General Data Protection Regulation (GDPR). During on-site inspections in June 2017 and in March 2019, the supervisory authority found that the company stored personal data of tenants in an archive system that provided no capability to remove personal data that was no longer required. Personal data of tenants were saved without checking if storage was permitted or even required.
In some cases, many years of old personal data of affected tenants were unlawfully collected. Data included details such as salary certificates, self-disclosure forms, extracts from employment and training contracts, tax, social and health insurance data as well as Bank statements.
After the Berlin DPA initially investigated in 2017, the company changed the archive system in March 2019. The migration, however, took more than one and a half years after the investigation and nine months after General Data Protection Regulation (GDPR) began to apply. Additionally, there was no lawful basis for the continued storage of this dataset. Although had the company made some efforts to remediate the data protection issues identified, these measures still did not lead to the establishment of a lawful basis for the storage of personal data.
The imposition of a fine for infringements of Article 25 (1) and 5 of the GDPR for the period between May 2018 and March 2019 was therefore mandatory. GDPR obliges supervisory authorities to ensure fines in each individual case are not only effective and proportionate but also are deterrent. The starting point for the calculation of fines is, inter alia, the gross revenue of affected companies achieved in the previous year. The annual report for Deutsche Wohnen SE in 2018 reported annual sales of over one billion Euro. This figure was the basis for calculating the fine for the detected data protection violation of ~EUR28million.
In determining the fine the Berlin DPA took account of both aggravating and mitigating factors. An aggravating factor was the archive structure had been deliberately created and had been in operation for years and therefore unlawful processing had been in operation for the same period. In mitigation, the Controller had taken some action to clean the dataset and remove unlawfully held records. A further mitigating factor was that the Controller cooperated with the Supervisory Authority. As such the fine was reduced from the maximum to EUR14.5million.
What are Article 25(1) and Article 5?
Data Retention and GDPR Article 25(1)
Article 25 of GDPR deals with Data Protection by Design and Default. In layperson terms, it basically means:
“When a system is going to be used to process personal data, data protection requirements must be built-in from the ground up.”
This means that if an organisation is building a data retention solution such as a data warehouse, or establishing an archiving solution for email or for any other dataset, there must be a clear process for ensuring data protection is incorporated into the design. When the system is built the system must then go through an assurance process to ensure those data protection design requirements have been implemented effectively.
Data Retention and GDPR Article 5
Article 5 deals with the 6 core data protection principles which are:
- Lawfulness, fairness and transparency
- Purpose limitation
- data minimisation
- storage limitation
- Availability, integrity and confidentiality
Article 5 also makes it clear that the controller shall be responsible for, and be able to demonstrate compliance with the above data protection principles.
What does this data retention fine mean for my business?
In the case of the German Data Controller, they implemented an archiving system, prior to GDPR, and that archive was found to be non-compliant. Instead of putting in the effort. If your organisation are using an archiving solution that doesn’t comply with the Data Protection by Design & Default requirements you may be exposed to regulatory censure. If you want to know more about how to become compliant or need a framework for Data Protection by Design then get in touch. We can help!
About The Author
Stephen Massey is the Managing Director of Fox Red Risk, a boutique Cyber Security and Data Protection consultancy. Stephen has worked in the information security risk, business continuity and data protection world for nearly 20 years. Stephen has delivered complex security programmes across defence, real estate and financial services. Stephen has also authored the popular book “The Ultimate GDPR Practitioner Guide” which is available on Amazon in both paperback and Kindle eBook.
About Fox Red Risk
Fox Red Risk is a boutique data protection and cybersecurity consultancy and Managed Security Service Provider which, amongst other things, helps client organisations with implementing controls frameworks for resilience, data protection and information security risk management. Call us on 020 8242 6047 or contact us via the website to discuss your needs.
accountability article 25 article 28 article 35 awareness bcms BeCyberSafe breach british airways ciso contracts controller cybersecurity data breach data privacy Data Protection dataprotection data protection officer data protection service DPIA DPO encryption GDPR iag informationsecurity information security leadership management penetration testing Pentest Privacy processor resilience risk risk appetite risk management riskmanagement security security as a service small business strategic transparency vciso virtual ciso vulnerability scanning