top | item 35586380

(no title)

At my company (not finance, and never gotten sued), documents are ephemeral primarily due to GDPR reasons.

Many of them contain various personal data of clients and/or employees, legal makes us specify for how long each service needs to hold on to it, and purge as soon as possible to minimize chance of leaks.

discuss

rdtsc|2 years ago

It’s a funny intersection of hold requirements. Litigation and one set of compliance requires holding records for at least this much time, GDPR and other such things require keeping records no more than some particular time. I haven’t seen the case when the intersection is an empty interval. But I imagine then one would choose to justify breaking one of the least important ones.

wizzwizz4|2 years ago

GDPR Article 6, 1(c):

> Processing shall be lawful […] if […] processing is necessary for compliance with a legal obligation to which the controller is subject;

rodgerd|2 years ago

It's where being able to have strong guarantees about how customer data is being used becomes critical.

I'm required to keep evidence about your KYC information and your financial transactions for compliance purposes for (e.g.) 7 years after you stop doing business with me. If I'm using them for that purpose I'd be in the clear GDPR-wise.

However, the day I break off doing business with you I need to stop using them for marketing or sales leads - that would be a GDPR breach.

Where I suspect it will get very messy for companies is the sexy new "hoover all the data into ML models" is going to come a GDPR cropper because I doubt most of the people doing it can show that they purged it when their relationship with the data owner ended, if they even had one in the first place. They're sure as fuck violating copyrights all over the place.