All you need to know about the Data Retention under the GDPR

If any organization collect #personaldata from European Union citizens, then they are subject to the #GDPR compliance requirements. One of the core principles of the General Data Protection Regulation is Storage limitation also known as the principle pertaining to Data retention.   

The principle clearly states that-  

  1. The organization must not keep the users’ personal data for anytime longer than they need it;  
  2. They must justify the data retention period of how long will they hold the users’ personal data, and for what purpose the same fulfills;  
  3. The organization must have a Data retention policy which must specify the time frames/period for which data is retained;  
  4. Organizations must periodically review the data that they hold, and either delete them or anonymise them when such data is of no use;  
  5. Organizations must comply with the data subject’s right pertaining to the right to erasure when their data is no longer in use;  
  6. Lastly, organizations are exempted from this principle, if such data is being retained for public interest archiving, scientific, historic research or for statistical purposes.  

In simple terms, the GDPR data retention principle specifically lays out that the data collected or processed can only be retained until its purpose is not achieved.  

It is to be noted here that data controllers and processors are obligated to ensure that the personal data of their users are securely deleted or returned back to them when such data is no longer required by them. Under the GDPR, the personal data of the user cannot be retained or held indefinitely. Recital 39 of the GDPR clearly lays down that the data controllers are obligated to set time frames for data retention and must ensure timely and duly erasure of personal data when they are not required anymore.  

In many case scenarios, it becomes essential to hold data even after the fulfilment of the purpose of such data, and the reason behind this could be- ensuring compliance with federal or state laws or for any legal reasons. These grounds must be stated in the organization’s Data retention policy to make such retention in compliance with the law.  

Data Retention policy must include- what happens to the data at the end of the retention period. The organization must draft a detailed policy stating even the methods that will be deployed to destroy or delete the data after the expiry of the retention period. An alternative option after the expiry of the retention period could be of removing all the personal identifiers from the personal data that would help in identifying the user. Further, in such cases, the policy must clearly specify such data elements that must be removed from the personal data after the expiry of the retention period in order to ensure that the user’s identification is not possible.

Major Privacy Updates of the Week

Australian Health Insurer Medibank Suffers Breach Exposing 3.9 million Customers' Data.

Following a recent ransomware attack, the Australia’s one of the biggest health insurance company Medibank revealed that all of its clients’ personal information had been accessed without authorization. The company claimed the attackers had access to “substantial volumes of health claims data” as well as personal information from its overseas students and ahm health insurance subsidiary. The cost of the cyberattack is expected to range from $25 million to $35 million AUD. Medibank has acknowledged that it has been approached by a criminal actor who claims to have stolen 200GB of data. 

Read more

Hive ransomware gang leaks data stolen during Tata Power cyberattack.

The Hive ransomware-as-a-service (RaaS) group has claimed responsibility for the recent cyberattack on Tata Power, a leading Indian energy company, which has also begun disclosing stolen employee data. On October 14, Tata Power, which serves more than 12 million customers through its distributors, acknowledged that it had been the victim of a cyberattack that had impacted some of its IT systems. Hive, listed Tata Power on its dark web leak site, which it uses to publicize attacks and stolen data. The listing of stolen data suggests any negotiations to pay a ransom failed. 

Read more

Pro-Chinese Disinformation Group Attempts to Undermine US Midterm Elections.

With the aim of isolating the United States from its European allies and forcefully dividing it along party lines, a pro-China disinformation operation known as Dragonbridge has been actively targeting the United States. The campaign’s goal has been to delegitimize the American political system and prevent Americans from casting votes in the approaching midterm elections. They also attempted to cast doubt on the productivity of U.S. lawmakers and questioned whether the legislative process is having a real impact on American lives. 

Read more

UK’s Information Commissioner Fines Interserve Group Over Inadequate Security.

Interserve Group Limited, a facilities management outsourcing and construction company, was fined £4.4 million ($5 million) by the UK Information Commissioner’s Office (ICO) for failing to put in place sufficient security measures in advance of a 2020 cybersecurity incident. Information belonging to 113,000 employees was stolen after hackers gained access to Interserve’s networks. According to the ICO, Interserve was using out-of-date antivirus software and unsupported versions of Windows Server at the time of the incident. 

Read more

Black Reward Hackers Attacks Iran’s Atomic Energy Agency and Steal 50GB Of Data Including 100K Emails.

A group of anti-Iranian government hackers have allegedly targeted the network of a subsidiary of the Iran Atomic Energy Organization and gained access to its email server. The Bushehr-based Atomic Energy Production and Development Company, a subsidiary of the Iranian nuclear agency, was attacked, and the hacker collective known as Black Reward has taken responsibility for it. The Iranian government’s nuclear power plant’s development plans, 50GB of internal communications, and contact information, hackers claim to have obtained. The group posted part of the information on their Telegram channel. 

Read more

Curated by: Prajwala D Dinesh, Ritwik Tiwari, Aarlin Moncy


Keep up to pace with this high-impact weekly privacy newsletter that
features significant data privacy updates, trends, and tools that can
help to make your life secure & easier every day!

*By clicking on subscribe, I agree to receive communications from Tsaaro