Data Privacy | Regulations | Laws | Frameworks
Data & Mores Complice Service (DMCS) support a wide range of legal frameworks. From European GDPR over Canadian PIPEDE to Chinese PIPL. At the heart of all data privacy lies the assumption that data belongs to individuals and organisations are just caretakers of data. With that understanding, it becomes clear that all Persona Data must have a retention period – and must be deleted before it becomes illegal to keep
GDPR was the first major Data Privacy legislation that, due to it overall reach, has impacted nearly all global Data Privacy legislation. However, as cited below, it is essential to note that GDPR is rooted in the Charter of Fundament Rights for the European Union.
Below, we have outlined ten regulator retention frameworks that the DMCS support out of the box.
1. EU: General Data Protection Regulation (GDPR):
Under the GDPR, data retention is a critical aspect of ensuring compliance. Organisations must establish clear data retention policies that determine the period for which personal data can be stored. The principle of data minimisation is emphasised, meaning that personal data should only be retained for as long as necessary for the specified purpose. Organisations must document their retention periods and inform individuals of the duration of their data will be stored. The GDPR also requires organisations to implement appropriate security measures to safeguard retained data during storage.
2. US: California Consumer Privacy Act (CCPA):
The CCPA grants consumers the right to request the deletion of their personal information held by businesses. As a result, organisations must establish data retention policies that align with these rights. While the CCPA does not specify a specific retention period, it emphasises the need for organisations to inform individuals about their data retention practices. Businesses must disclose the categories of personal information collected, the purpose of collection, and the period for which the data will be retained. Compliance with data retention policies and timely deletion of data upon request is crucial to meet CCPA requirements.
3. Canada: Personal Information Protection and Electronic Documents Act (PIPEDA):
PIPEDA requires organisations to have clear and reasonable data retention policies. It emphasises the importance of limiting the retention of personal information to only what is necessary to fulfil the identified purposes. Organisations must specify how personal data is collected and retained and communicate these purposes to individuals. Furthermore, PIPEDA mandates that organisations must have guidelines and procedures for destroying or anonymising personal information when it is no longer required for the identified purposes.
4. Brazil’s: General Data Protection Law (LGPD):
The LGPD recognises the importance of data retention policies to ensure the protection and privacy of personal data. It requires organisations to establish specific purposes for data processing and to retain data for the necessary duration to achieve those purposes. Organisations must inform individuals about the retention period and the criteria used to determine the duration of data storage. Additionally, the LGPD emphasises the need for appropriate security measures to protect retained data and prevent unauthorised access or disclosure.
5. Singapore: Personal Data Protection Act (PDPA):
Under the PDPA, organisations must establish data retention policies that align with the purpose of collection. Personal data should not be retained longer than necessary to fulfil the stated purposes, and organisations should document their retention periods. The PDPA also emphasises the importance of implementing appropriate security measures to protect retained data from unauthorised access, disclosure, or loss.
6. Australian Privacy Act: (APA)
While the Australian Privacy Act does not explicitly outline specific data retention periods, it emphasises the principle of data minimisation. Organisations are expected to establish data retention policies that ensure personal information is only retained for as long as necessary to fulfil the identified purposes. Furthermore, the Act highlights the need for organisations to implement appropriate security safeguards to protect retained data from unauthorised access, misuse, interference, loss, or disclosure.
7. US Health Insurance Portability and Accountability Act (HIPAA):
HIPAA includes provisions regarding data retention in the healthcare sector. Covered entities and business associates are required to retain protected health information (PHI) for specified periods to meet legal and business requirements. HIPAA does not provide a specific retention period but emphasises the need to implement policies and procedures for data retention and disposal. Organisations should consider state and federal laws when establishing data retention policies for PHI.
8. UK: Data Protection Act:
The Data Protection Act 2018, in conjunction with the GDPR, requires organisations to have data retention policies in place. Personal data should only be retained for as long as necessary for the specified purposes. The Act emphasises the need for organisations to inform individuals about the retention periods and the criteria used to determine the duration of data storage. Additionally, appropriate security measures must be implemented to protect the retained data.
9. China: Personal Information Protection Law (PIPL):
The PIPL in China mandates organisations to establish data retention policies for data processing purposes. Personal information should only be retained as long as necessary to fulfil the specified purposes. Organisations must inform individuals about the retention period and the criteria used to determine data storage duration. The law also requires organisations to implement security measures to protect retained data from unauthorised access, disclosure, or loss.
India: Personal Data Protection Bill (PDPB):
The proposed PDPB in India emphasises the importance of data retention policies. Organisations must and establish retention periods based on the purposes of data processing. Personal data should not be retained longer than necessary to fulfil the specified purposes. The PDPB requires organisations to inform individuals about the retention periods and implement appropriate security measures to protect retained data.
As always, do read the sources – go zero trust