Data cemetery and LGPD: limiting data storage
Posted: Thu Jan 30, 2025 9:55 am
By Jean Carlo Jacichen Luz
Data lakes and data graveyard
Under the regulation of the General Personal Data Protection Law (LGPD – Law No. 13,709/2018) , personal data cannot be processed for longer than necessary, which means that the life cycle of personal data in the organization's processing operations must necessarily come to an end.
In line with the European regulatory model established by the General Data Protection Regulation, personal data will only be kept for the period necessary for the purposes for which they are processed (principle of limitation of storage – article 5,.
Therefore, the indefinite and unjustified maintenance of personal data constitutes an illegal practice, which seems to be a rule in current thinking, which is only concerned with making its databases more robust, but which tends to be broken, with great difficulty, it must be said, over the next few years in the search for compliance with the LGPD.
It turns out that many organizations end up forming instagram data true “data cemeteries”, originally intended to be data lakes, that is, huge banks and repositories of unnecessary information with no specific purpose of use, which do nothing more than increase the organization's risks and costs.
The law dictates that personal data should not be kept for longer than necessary, but how long is that?
The open question seems to leave the responsibility for creating its data retention policy to the organization, observing, of course, certain legal criteria. Thus, it is up to the organization – the data processing agent – to establish and manage this life cycle, paying attention to the storage periods of personal data, because keeping unnecessary personal data is attracting unnecessary responsibility, but keeping data for a shorter period of time can also be a complication.
This article is dedicated to raising some of the relevant issues to be considered for this aspect of LGPD compliance.
Data lakes and data graveyard
Under the regulation of the General Personal Data Protection Law (LGPD – Law No. 13,709/2018) , personal data cannot be processed for longer than necessary, which means that the life cycle of personal data in the organization's processing operations must necessarily come to an end.
In line with the European regulatory model established by the General Data Protection Regulation, personal data will only be kept for the period necessary for the purposes for which they are processed (principle of limitation of storage – article 5,.
Therefore, the indefinite and unjustified maintenance of personal data constitutes an illegal practice, which seems to be a rule in current thinking, which is only concerned with making its databases more robust, but which tends to be broken, with great difficulty, it must be said, over the next few years in the search for compliance with the LGPD.
It turns out that many organizations end up forming instagram data true “data cemeteries”, originally intended to be data lakes, that is, huge banks and repositories of unnecessary information with no specific purpose of use, which do nothing more than increase the organization's risks and costs.
The law dictates that personal data should not be kept for longer than necessary, but how long is that?
The open question seems to leave the responsibility for creating its data retention policy to the organization, observing, of course, certain legal criteria. Thus, it is up to the organization – the data processing agent – to establish and manage this life cycle, paying attention to the storage periods of personal data, because keeping unnecessary personal data is attracting unnecessary responsibility, but keeping data for a shorter period of time can also be a complication.
This article is dedicated to raising some of the relevant issues to be considered for this aspect of LGPD compliance.