GDPR regulations stipulate that data must be deleted as long its purpose of being stored has expired. However, there may be external reasons for accessing the data, which occasionally occur. These reasons mean that the data could be retained but encrypted
The encryption of data has the advantages:
- data can’t be accessed by staff
- it is reduces the company’s liability in case of a data breech
- It allows the data to be decrypted and accessed if that need arises
An example of an external access reason is for auditing purposes – sometimes an auditor may want to trace where goods have been sold or purchased. An auditor may require this information up to 7 years after the sale or purchase
An example:
- A retailer stores information about sales – which products were sold to which customers, along with the customers contact details. The customers’ information is stored for the following purposes: delivery of goods and for the returning of goods within the warranty period. The longest period of time for the two purposes is for returning goods for warranty purposes. For this retailer, there is 12 month warranty period, therefore the customers’ data should be only stored for 12 months. Now, the company has a responsibility to keep a record of the sales for up to 7 years for auditing purposes. In this instance the company may encrypt the data after 1 year of storage. Then the data will be retained in an encrypted format for up to 7 years. The company can then delete the customers’ information 7 years after the sale or purchase