Like it or not, spring cleaning season has arrived. Whether you’re the type to declutter your closets like Marie Kondo or are more likely to tidy a few shelves and call it a day, it’s important to remember that your organisation’s data is also likely due for a thorough clearing out.
Disposing of personal data no longer needed or required for business purposes is not only good practice but a regulatory obligation for most organisations today. Like many cleaning projects, this may seem simple on the surface, but in reality, there are often layers of built-up clutter and disorganisation that can make the task a rather tricky undertaking. Now is the perfect time to roll up your sleeves and take a closer look at the data mess your organisation may be avoiding.
Under most global data protection regulations, organisations may retain personal data for only as long as reasonably necessary and for the purposes they specified in their privacy notices or consent disclosures. These parameters should be clearly defined in a retention policy, with specifications around which types of personal data your business processes, for what purposes, how long each should typically be kept and under what circumstances they are permitted to be held for longer. Your retention policy should also document legal, regulatory and business requirements to retain data based on jurisdiction and industry obligations.
Clearing Out Data According to Retention Periods
Below are some initial steps that should be followed to ensure data is properly “cleaned up” when it has reached its defined retention period:
- Identify the relevant records that have reached the end of their retention period.
- Notify the relevant business owner to determine if there is a need to extend the retention period.
- Ensure no legal holds are in place that require data to be retained regardless of retention periods.
- Consider any changes in circumstances that may justify prolonged retention.
However, these tasks may be complex to complete if you do not already have a strong governance approach with supporting technology and/or processes established. If this is the case, it could be a good opportunity to pilot your spring clean within a department or team as a step toward developing more formal processes and procedures.
If you do not have automated disposal tooling in place, one of the first activities will be to determine what action to take with data that has reached the end of its retention period and is no longer of value to your organization. This is likely to include the default option of deleting digital records from the systems in which they are stored and/or or securely destroying physical records or potentially moving data to long term archiving. In some circumstances, the organisation may opt to anonymise the data, so that it no longer contains personal information but can still be used for business purposes and analytics. Whatever action is taken must be documented, so the organisation has evidence that retention policies are being consistently followed and enforced.
Managing Data Deletion
Organisations must take care in how data is deleted, especially in structured applications, to avoid impacting functionality in the live system. One solution is to use available software capabilities for deleting data, which may involve removing whole records from a dataset or overwriting them. If personal identifiers are overwritten, the data will be rendered unrecoverable, and therefore no longer classed as personal data. Teams using this deletion process should be sure to include backup copies. Whilst personal data may be deleted from live systems, it will normally still remain within the backup environment until it is overwritten.
If backup data cannot be immediately overwritten, it must be placed “beyond use,” i.e., not used for any other purpose and held only until replaced in line with an established retention and deletion schedule. The U.K.’s Information Commissioner’s Office (ICO) will accept that data is “beyond use” if the data controller:
- Is not able, or will not attempt, to use the personal data to inform any decision about any individual or in a way that affects any individual.
- Does not give any other organisation access to the personal data.
- Has in place appropriate technical and organisational security.
- Commits to permanently deleting the information if, or when, these requirements can no longer be maintained.
Considerations for Anonymising Data
In some cases, it may be preferable to anonymise data, which allows the organisation to remove personal identifiers from records, but continue leveraging other valuable information within them. To be clear, anonymisation is the process of removing all information that could be used to identify a living person, so the data that remains can no longer be attributed back to any unique individual. Once personal identifiers are deleted, data protection laws do not apply to the anonymised information that remains—as long as the records are truly anonymised, organisations may continue to hold and use them without the risk of violating data protection laws.
Scenarios in which anonymisation may be preferable include:
- To continue providing management or historical analysis from a large set of records.
- For marketing campaign reporting and analysis across certain segments, customer sentiments, feedback categories, etc.
- As documentation of employment practices and equal opportunity recruiting and hiring across specific demographics.
It’s important to note that the ICO has issued warnings regarding data anonymisation. It states that if an organisation or person could at any point use any reasonably available means to re-identify specific individuals from an anonymised data set, then the data is classified as pseudonymised, not anonymised, and thus must still be treated as personal information. While pseudonymising data does reduce the risks to data subjects, in the context of retention it is not sufficient justification to keep personal data for longer than necessary or for reasons other than its original intended purposes.
Be Thorough: Physical Records and Unstructured Data
Destruction is the final action for most organisations’ physical records, and may be carried out by shredding, pulping or burning paper documents. This is likely the best course of action for physical documents when the organisation no longer needs to keep personal information or an anonymised version of it. This process can be managed in-house or through a third-party, but no matter the approach, must be documented in a disposal schedule that can be provided to authorities in the event of an investigation or litigation. When third parties are involved, they will be considered a data processor under law, and therefore must be governed by a contract that includes the full extent of required data protection clauses, including those that apply to physical documents.
Retention policies and practices must also account for unstructured data (such as emails, chat messages, documents and call recordings) that contains personal identifiers. Unstructured data records can be particularly challenging and often require the use of advanced analytics tools that can identify personal data and records of business so they may be reviewed and remediated according to policy. It is estimated up to 60% of unstructured data is duplicate, redundant, obsolete or trivial and could be disposed of by organisations, reducing not only data risk, but IT infrastructure and storage costs.
A Clean and Orderly Data House
Achieving a sparkling clean data environment requires an organised approach and some heavy lifting, which is more effective with the support of effective technology solutions. With a clear plan and teamwork across legal, privacy, compliance, IT and business users, data retention policies can be established and properly maintained and also implemented across differing data sets. Through methods such as deletion, anonymisation and physical destruction, organisations can avoid an accumulation of personal data clutter and reduce unnecessary risk.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.