GDPR Requirements
Personal data must be stored in a form, which permits identification of the data subjects only if it is necessary for the purposes for which they are processed (Article. 5 (1e)).
Resulting Challenge
The storage duration of personal data must be defined. In fulfilling the purpose, personal data must be removed from the system or the link to the personal data must be removed in such a way that the identification of the data subject is no longer possible. This is particularly difficult to achieve.
Technical Solution Approach
The data model must include a data lifecycle. The lifecycle is based on time and attributes that declare a processing purpose. If the data is encrypted, an irreversible deletion of the key is sufficient to make the data non-identifiable. Other anonymization mechanisms, such as Differential Privacy (Dwork 2008) are possible, but extremely difficult to implement in practice.
Checklist:
- Is the data associated with a limited storage period (due to a specific purpose)?
- If anonymization is required: Is an appropriate anonymization mechanism in use to safe the stored data?
- If the data is encrypted: Is it possible to delete the encryption key irreversibly?