Can we comply with the storage limitation principle and international data retention regulations?

This page is a fallback for search engines and cases when javascript fails or is disabled.
Please view this card in the library, where you can also find the rest of the plot4ai cards.

Privacy & Data Protection CategoryData & Data Governance Category
Design PhaseInput PhaseDeploy PhaseMonitor Phase
Can we comply with the storage limitation principle and international data retention regulations?

The principle of storage limitation, as stated in Article 5(e) of the GDPR, requires personal data to be stored only as long as necessary for the intended purpose. Similarly, many global privacy regulations, such as CCPA (California), LGPD (Brazil), and PDPB (India), impose strict rules on data retention and deletion. Do you have a clear understanding of how long you need to keep the data (training data, output data, etc.) and whether you comply with internal, local, national, or international retention requirements?

If you answered No then you are at risk

If you are not sure, then you might be at risk too

Recommendations

  • Personal data must not be stored longer than necessary for its intended purpose. Compliance requires a clear understanding of the data flow throughout the model’s lifecycle.
  • Analyze all data types, including raw input data, training and testing sets, processed outputs (linked or merged data), and associated metrics. Understand where this data will be stored and for how long.
  • Define clear retention and deletion schedules, ensuring responsible individuals are assigned for managing data retention and disposal.
  • If data must be retained for auditing or quality purposes, anonymize it where possible to minimize privacy risks.
  • Stay informed about and comply with retention rules not only under GDPR but also under international frameworks such as CCPA (California Consumer Privacy Act), LGPD (Brazilian General Data Protection Law), and others. Retention and deletion policies should meet these diverse requirements.
  • Be aware that deleting data from a trained model is inherently challenging, as input data influences the model's internal representation during training. Consider legal implications for the model itself, as encoded thresholds and weights may also be subject to retention laws. Source: BerryvilleiML