The European Union’s General Data Protection Regulation (GDPR) has been in force since May 2018. This is a comprehensive data protection regulation that obliges companies to protect personal data and ensure that this data is stored and processed in an appropriate manner. This is important to ensure that personal data is handled sensitively and that third parties do not gain access to private information. The GDPR also protects against data misuse.

An important aspect of the GDPR concerns the deletion of data. Companies are obliged to delete personal data at the request of the data subject, unless there are legal or other reasons that prevent deletion. It is therefore important that companies are able to delete personal data when necessary. Failure to comply with this deletion obligation can result in heavy fines.

Data must always be deleted if the data subject withdraws their consent to data processing or if the purpose for which the data was collected no longer applies. However, statutory retention obligations prevent this. The regulations on storage and deletion always depend very much on the company in question, so you should obtain comprehensive information in this regard.

Without a well-thought-out concept for deleting data, complying with the regulations can be very time-consuming and cost a lot of time. In addition, it is easy to lose track of large amounts of data. A deletion concept tailored to your company will save you time and nerves.

First of all, you should be clear about what data you have stored and where. Now categorize it according to the retention period. Then define deletion rules according to which the data is removed from your systems in a timely manner. It often makes sense to define separate deletion rules for individual departments. Finally, the deletion method is selected. It must ensure that the data is deleted completely and irretrievably. Finally, check whether the deletion process was successful and notify the persons concerned of the deletion.

You can use a software solution to automate the process for your company. For example, identify resources that contain or process personal data and define a purpose. Cleanup functions can also help you to clean up redundant data and automatically comply with deletion deadlines.

There are also official guidelines from the EU Commission on the GDPR, which are intended to support companies with implementation. However, these guidelines are not binding and cannot cover all possible use cases and questions. For example, the EU Commission has published guidelines on data protection impact assessments, which are intended to help companies identify and minimize risks in connection with the processing of personal data. Another guide concerns the role of the data protection officer.

In addition, there are national data protection authorities in many countries that also publish guidelines and recommendations. In Germany, for example, the Federal Commissioner for Data Protection and Freedom of Information (BfDI) has published several guidelines and information to support companies in implementing the GDPR. However, it is important to note that there is no one-size-fits-all solution for implementing the GDPR, as this depends on various factors such as the type of data processed, the type of organization and the size of the company.

Companies should therefore carry out a comprehensive risk assessment and take individual measures to ensure compliance with the GDPR.