Do you need to take data deletion out of the "too difficult" box?

Back in 2016, when GDPR was a mere blot on the horizon, I had a client who already had a data retention policy for their organisation. It was a thing of beauty, setting category by category retention periods, and specifying the legal requirements from which each retention period was derived. The only problem was that their legacy systems couldn't delete data. Someone had calculated that the cost of rolling out the required IT changes was many times greater than the maximum possible fine (at the time) of £500,000 so instead they were storing hundreds of thousands of obsolete records, entirely ignoring the policy. This client's position was exceptional (not least because they'd actually got a data retention schedule), but the outcome was similar to one that many GDPR compliance projects adopted at the time: let's focus on the things we can change quickly and easily, and tidy up the rest later. Data deletion was (and remains) tricky. It required persuading business teams to set retention periods in a way that often seemed arbitrary, and then trying to get budget for a major IT project to implement the necessary changes. So people put it to one side in the sprint to the GDPR finish line. For many organisations, it remains languishing in the “too difficult” box because data deletion isn't exciting or sexy and doesn't get headlines.

Data deletion still isn't getting headlines, but it is starting to get regulatory attention. Commentators on the CJEU's decision in the Deutsche Wohnen case in December last year focussed (understandably) on the circumstances in which an administrative fine can be imposed. But the situation which triggered the referral is just as interesting: the Berlin DPA was seeking to impose a fine of over €14 million for failures to delete tenant information. And this isn't an isolated decision. In January of this year the CNIL fined a real estate website €100,000 for an “indiscriminate” data retention period for some accounts and for failing to delete other accounts after the relevant period had expired. At the beginning of March the Finnish DPA fined an online retailer €856,000 for retaining customer account data for an indefinite period of time. It dismissed the justifications advanced by the company, including that some of its products had very long lifespans, and that it deleted data if a customer asked. The failure to set and implement appropriate retention periods is a central focus of all these cases, rather than a mere aggravating factor in, say, a data breach scenario. So if your retention policy is still sitting in the “too difficult” box, it's probably time to get it out.