Are you managing personal data deletion correctly under the DPA and GDPR? Does everyone in your organisation know what to delete and when to delete? It might seem like an easy task but many still struggle with this. The deletion of 213,000 UK police records due to incorrectly flagged files for deletion is a good example of how staff members can handle data retention records improperly.
So how can you prevent the risk of incorrect data deletion? Read on to learn how to effectively combine information security and GDPR aspects of the UK Data Protection Act to manage data deletion the right way.
With GDPR there are two important principles regarding personal data that are relevant to this post:
- Minimise the amount of PII required
- Retain the PII for only as long as it is required
There are a number of different approaches you can take to comply with these principles, and I will discuss a few of them but let’s start with the basics.
Why is personal data deletion so important?
You may have had a valid business requirement for collecting and processing PII. Perhaps to support a marketing activity or to fulfil a contract. This data takes up storage space that has a cost associated with it. It also carries the risk of a data breach, which has a potential but unknown cost to the organisation.
There’s clearly a financial imperative to delete personal data at the earliest opportunity. Not only would it reduce the amount of storage space required but it would also eliminate the risk of an unauthorised data breach.
Some organisations may have a business justification for keeping some of the data for future activities or analysis. In this case, they should look at anonymising the data. It won’t reduce the bill for storage space, but it will eliminate the risk of a breach of personally identifiable information.
When should you delete the data?
This is an interesting question that some organisations are finding it hard to answer. With the advent of GDPR, there was a cultural shift from keeping all information forever to trying to identify when information can be safely deleted. This is not an easy undertaking as there may be many different reasons to keep information including legal and regulatory requirements.
Identifying appropriate retention periods for certain types of data is an exercise I would recommend for any organisation. They need to be aware of what business, legal and regulatory requirements they need to meet before attempting to impose any type of information retention schedule.
For data that is easily categorised (job applications, purchase records, pension information etc.) the appropriate retention period should be fairly easy to agree with the business stakeholders. The problem lies with unstructured data which is not so easily categorised. Chief amongst this will, of course, be email but it won’t be the only source of unstructured and uncategorised information.
People will send and receive emails on a range of different topics which means that their inbox (assuming they don’t file messages) might be subject to a range of data retention schedules. Emails about the canteen menu for next week will have a retention period of a week at most. However, the information in an email about changes to an existing contract may need to be retained for considerably longer.
What are the consequences of not deleting data?
One of the basic principles of the GDPR, and now our very own Data Protection Act is that personally identifiable information should only be kept for as long as necessary to meet a valid business or statutory requirement.
One of the consequences of not deleting data, which is often overlooked, is that the data may well be included in a subject access request. If your organisation is a public authority it may also be included in a Freedom of Information request. If your response to these requests contains PPI which is obviously being retained for no valid reason would be at the least embarrassing. The ICO would take a very dim view of your retention policies should a complaint be made.
Another consequence of not deleting data is that volumes of data will invariably grow. The storage of the data has an inherent cost associated with it. It goes without saying that the more you store the more it costs. Reducing the amount of data you store by deleting PII which is no longer required is not only good practice but might actually save you some money.
Changing work practices for good data management
Managing the deletion of personal data requires a significant change in working practices for many organisations which should not be underestimated. Deleting emails that are no longer required is one example that is easy to say but many users find it incredibly difficult to do.
Regardless of the difficulty deleting PII that is no longer required – it’s something that every organisation needs to do. In addition to reducing the risk of a data breach or the possibility of embarrassing data disclosure to the organisation it may also save you money.
If you are keeping PPI longer than you should, then it could be a sign of poor data hygiene and you know what that can now lead to. Implementing process and policies is one step to begin good data management. Followed by workshops and computer-based training to inform staff on data regulations and educate them to use correct procedures.
Additionally, as the end of the UK Data Protection adequacy decision transition comes to a close in June 2021, now is the time to ensure your organisation is adhering to UK and EU regulations in the case that adequacy is not granted. If you need assistance with bringing your PPI data protection programme in-line with the DPA and GDPR or with meeting other requirements, Risk Crew can help. And if you are unsure where to start, we can help with that too! Just request a complimentary data protection reality check. – The change starts with you. So, get started.
