According to Swiss data protection law and the EU GDPR, companies are obligated to delete personal data as soon as it is no longer needed – a central component of the principle of data minimisation. However, putting this requirement into practice poses major challenges for many companies. In a case study, we examine how Swiss insurers have overcome this hurdle and provide transferable insights for other companies with complex IT landscapes.
Initial Situation and Challenges
The legal requirement to retain personal data only as long as necessary has been established in law for years, but the priority of this requirement has only increased in recent years, presenting insurers with new challenges:
- Swiss insurers take “data minimisation” seriously
- Data minimisation presents a multifaceted challenge for companies
- Data minimisation is particularly an architectural challenge
- At the beginning, the assignment of responsibilities must be clarified
Conceptualization
The first step is to develop a company-wide deletion concept, including a deletion architecture:
- The deletion concept phase lays the foundation for implementation
- The deletion concept translates legal requirements into actionable rules
- Insurers opt for “central deletion orchestration”
Implementation
After conceptualization, implementation in the applications can take place, and where not yet done, retention periods must be identified:
- Implementation takes several years
- Anonymisation is more complex than deletion
- Reporting and analytics applications are a particular challenge
- Implementation introduces the new risk of incorrect deletion
