A strategy for data deletion

Prior to GDPR, data protection officers (DPOs) were something of a rarity. However, we’re starting to see more and more DPO roles crop up across industries. The reason behind this is obvious. In 2019 alone, the newly empowered ICO has levied fines in excess of £300 million against companies for breaching data protection law. The cost of non-compliance is now very real, and organisations face strict financial penalties for failing to uphold strong data protection practices.

 

In order to avoid such fines, DPOs need to ensure that their organisations understand what GDPR means and how it affects them. For many, responding to subject access requests (SARs) – i.e. customer requests for their personal data – seems the most pressing issue. However, compliance doesn’t end there. The latest data protection regulations state that businesses must implement all measures necessary to protect customer, employee and partner data.

 

When it comes to data protection, deletion needs to be a key consideration. The idea of it is frightening for most organisations who worry about getting rid of a vital piece of information that they may need at a later date. However, the reason for this fear is a lack of insight into what data they have and the value it holds. To implement strong data retention and deletion policies, insight into the data you own and its value, along with the confidence to know what you can delete and when, are fundamental. Yet, in today’s highly fragmented IT environments, insight and confidence are in short supply. The data protection officer (DPO) has both an opportunity and a duty to step in.

 

Data management in the dark

The root of the problem is that enterprises are struggling to adapt their IT environments to a regulatory paradigm they weren’t built for. Established businesses, which have existed long before GDPR passed into law, were under no legal obligation to protect the bulk of the data they collected. As a result, databases grew in number, size and complexity while data management was rarely treated as a priority. Many now face the challenging task of making their opaque, legacy IT infrastructures compliant.

 

The arrival of the cloud has offered an opportunity for many to centralise all data in a single, secure location. However, this is not feasible for everyone. A great deal of data, such as paper and handwritten records, are not easily digitised, while other business-critical data needs to remain on-premises. Much of it belongs to loyal, long-serving customers who have been with their service provider for decades: you simply can’t make that data disappear.

 

Furthermore, the growing popularity of hybrid and multi-cloud environments – where data is stored across a range of physical and multiple cloud environments – means that data will still exist in multiple, often disparate locations in an organisation for years to come.

 

This has created a quandary for employees. Staff regularly struggle with an overabundance of data sources and tools, while also coping with a lack of data strategy and backup solutions. As a result, more than a third (36 per cent) of IT leaders say their employees are less productive due to siloed data management practices and, on average, spend two hours a day searching for the data they need. 

 

Many IT and data managers are too afraid to pare down their data banks for fear that they might lose something precious in the process. Old data can be a valuable source of customer insight, and if a customer makes a SAR you must be sure you can respond to it within the timeframe required. Consequently, databases are only getting larger, harder, more expensive and dangerous to manage.

 

The longer an IT manager abstains from deleting data, the more likely it is to go ‘dark’, evade protection and risk falling into the hands of a cybercriminal. The contract with the customer is broken and the organisation then faces the prospect of a GDPR fine, or worse, irrevocable reputational damage.

 

Taming the database

To ensure compliance and the safety of organisational data, a fresh approach to data management is needed. Data management can no longer be treated as a low priority, back office function – it’s now integral to compliance and corporate reputation. Achieving progress will require change from within an organisation, both operational and cultural, but it also requires leadership. Yet whose responsibility is it to drive these efforts?

 

Considering the risks posed by an absence of data responsibility, it should absolutely come under the purview of the organisation’s DPO or chief data officer. They should take a leading role in guiding deletion strategy and resolving the data management challenges that frustrate it. However, while the DPO usually holds the responsibility for protecting data, they too often lack the power to do much about it.

 

Despite their importance, the DPO is a relatively new position at many companies, often introduced in the lead up to or the aftermath of GDPR. While organisations have taken various approaches to the position, all too often the DPO will meet resistance from concerned stakeholders and be overruled by the board.

 

Empowering the DPO to seek out data abuse and oblige data responsibility is crucial for any organisation that is serious about deletion and protection. There are numerous, critical areas where the DPO can and should have an impact:

 

• Workforce education: Databases often fragment or bloat because employees lack strong guidelines – they’ll neglect to label data correctly or decide to save an extra copy just to be safe. The DPO can step in here, training employees in the correct use of metadata and discouraging unnecessary copying.

 

• Data management: The DPO should lead a programme of improving visibility through superior data management. They do this by encouraging the adoption of data management tools that help systems and employees see what data they have and where. By bringing together and explaining their information, organisations can make informed decisions on what data to keep and what to delete.

 

• Automation advocacy: Once an organisation has complete visibility, the DPO can encourage the uptake of automation tools, allowing the company to roll out decisions and policies across its entire data estate. Data can be automatically classified on upload, reducing error and improving accuracy down the line. To reduce risk, data can also be expired after a set period of time. This stops the buildup of unclassified and vulnerable dark data that’s prone to emerge over time.

 

Deletion should be a key part of any effective data protection strategy. However, you can’t expect employees to effectively retain and delete data without the insight and confidence that comes from data visibility and enforced internal policies. The evolving role of the DPO should include imparting knowledge, insight and confidence on employees through well-considered data retention and deletion policies that have buy-in from leadership, and the latest data management tools that help make processes seamless. By doing this, DPOs will set new standards for data deletion and ensure their business stays on the right side of data protection regulations.