One of the key principles of GDPR is Data Minimisation. Additionally, it makes it clear that data collected with one specific purpose cannot be repurposed for another.

Whilst the jury’s still out on whether or not CDRs would always constitute personal data for the purposes of the Regulation, it’s clear that -in some cases – it would, and therefore we’re making a few changes to our data retention processes.

Effective 22nd May 2018, CDRs will be available via the portal and API for a period of the last 90 days only.

CDR Storage at Simwood

Currently, your CDRs are stored in our database and made available via the Simwood Portal and API. You can query CDRs going back many years, in most cases to when you opened an account with us.

Most customers, however, only query their recent CDRs. This makes sense, as presumably most are using our API to retrieve the CDRs and store them locally in their own database.

Indeed, so far this year, we have processed only eight requests for CDRs, older than 60 days, and only four older than 90 days.

We ‘archive’ old CDRs, and they move to another database, but they’re still readily available via the portal and API so for all intents and purposes there is no change for the users’ perspective.

Changes from 22nd May 2018

From 22nd May 2018 the API will actively reject any requests for CDRs that are older than 90 days.

We will, however, retain all archived CDRs for a period of 12 months, and thereafter either delete them or retain them in a redacted form for a period of six years. In the redacted form the last four digits of the Source and Destination numbers will be removed.

We are confident that, in this form, the CDR can no longer be considered personal data.

For example, a call from 03301223000 to 07700900123 would become a call from 0330122#### to 0770090#### which doesn’t identify either party.

Access to Historic CDRs

At present, there are no plans to provide access to the historic CDRs via the portal or API. If there is demand for this we may review this in the future.

Getting ready for GDPR

Many of the principles of GDPR are relatively small changes from the outgoing Data Protection Act and the framework of Data Protection it required, however it’s worth reviewing what information you store and how long you need to keep it for.

Storage is cheap these days, even with SSDs, and there’s less emphasis on using it efficiently as there may have been in the past. Modern platforms and systems tend to generate excessively verbose logs, and store data for way longer than necessary.

This is as good an opportunity as any to review and audit your own logs, and data retention.

The usual disclaimer applies; we’re not lawyers and this is not legal advice. We strongly recommend you seek your own legal advise regarding concerns you may have regarding GDPR compliance or any other regulatory issues.