Don’t make yourself an easy target
In the last blogpost we focused on the consequences of data breaches. If personal data can be compromised by unauthorized access and disclosure, keeping it beyond its useful life represents a risk of itself. Whether you are a small company or a larger enterprise, one thing is for sure: you cannot risk strangers with bad intentions to get their hands on your data. So, what’s the point in keeping it if it doesn’t “spark joy” anymore? Jokes aside, your computers may be holding PII of former employees and ex-customers, along with confidential financial records; about a third of data you store is likely redundant, obsolete or trivial. Acknowledging how critical is getting rid of it is a good start, provided it’s done the right way.
Trying to right a wrong
Many mistakenly believe that deleting files will remove them for good from the hard drive, leaving no trace. Well, bad news: that’s not how it works. Emptying the recycle bin or trash can does not prevent files from being retrieved, it simply makes them invisible to the operating system that doesn’t know how to find them, while their content is still recoverable until they are overwritten or destructed. If you don’t handle data properly, it’s like you’re telling hackers and identity thieves that it’s okay to steal information from you and those who you do business with. The truth is that such a threat could be easily avoided with safer data deletion practices. Besides, implementing an effective ad hoc procedure is now required by law.
Time to update your data retention policy?
In a world that increasingly functions through blockchain, designed to record everything permanently, how can a person protect their privacy? In order to increase data subjects’ control over what companies can do with their data, the GDPR regulated the “right to be forgotten” that enables people to get a say about the retention of personal information collected on them. However, the rightful request must be weighed against business needs and duties: it’s up to the companies finding a workable compromise between a person’s right to have their data erased and the legal obligation of retaining a record of a relationship with a person once that relationship has ended (if applicable) or the possible need for information in the event of future legal claims. When none of these situations occurs, two GDPR principles must be kept in mind in setting the retention periods:
- Data minimization: the less data you have, the less you have to protect. The collection must be limited to what is strictly necessary to accomplish specified and legitimate purposes.
- Storage limitation: don’t keep data for longer than you need it. Personal data must be stored in a form which permits identification of subjects for no longer than is necessary for the agreed purposes.
Small steps can be a total game-changer for your IT security:
- Identify and localize all personal information held by your company to classify data and define deletion rules per category.
- Inform data subjects about how long their data will be stored, how consent can be withdrawn, what rights they can exercise and how.
- Keep the personal data for only as long as necessary: if the data refers to employees, you only need it as long as the employment relationship and related legal obligations last; if it belongs to customers, you should not keep it beyond the term of the business relationship and related legal obligations (unless otherwise required by law).
- Keep record of the retention periods and the basis of them.
- When data is no longer necessary, make sure to actually delete every single piece of information relating to a person – on every file, folder, register, database, mailing list and any back-up server.
For data stored in cloud applications, companies usually have to rely on the provider for carrying out the deletion. Given that, one last but crucial advice is to entrust to compliant service providers if you need to sub-contract processing of personal data. Penneo, as your trustworthy data processor, implemented a deletion policy for all customer data; it involves both the deletion through the customer facing interfaces in the production environment and the hard deletion (including all revisions of a document).
At Penneo, we are committed to facilitate the exercise of individuals’ rights and ensure their effectiveness. When a data subject submits a request (using the form on our website) and specifies their willing to exercise one of their rights, our Support Team acquires more information to act promptly and our DPO proceeds to perform the necessary actions to satisfy the request, that is usually fulfilled within a week.
Better be safe than sorry
The bottom line is that just having a presence online makes you a potential target of cybercrime. Putting an adequate data deletion policy in place is a great defence, as well as a key aspect of a forward-thinking data management strategy. How foolish it would be failing to comply when you didn’t even need the lost data in the first place? Not to mention the benefits in terms of storage optimization and risk minimization. There’s plenty of human-produced data that you don’t get any value from and keeping it is only potentially harmful; what’s more, the information you don’t hold doesn’t need to be checked for compliance, disclosed in a GDPR subject access request or apologized for after a data loss.
Build a deeper compliance awareness in your company. It will improve your security profile, with benefits for both your business and the individuals it is intended to protect.