In an age of incredibly cheap storage, there is little incentive for an individual to delete anything. “Just in case I need it....” drives away any thought of pushing that delete button.
Net result: Most organizations are now sitting on a massive pile of data and documents.
But data privacy regulations are changing this. Most privacy regulations require you to have a legitimate and declared business purpose for holding customer data. This means that if you have customer (or employee!) data lying around without a justifiable reason, you need to get rid of it to comply with privacy laws.
Some companies attempt to solve this problem by emailing their employees periodically and asking them to remove old documents/data. As with several issues in the data privacy domain, automation is the key to solving this. Let us take a look at what this automation looks like.
The Age of a Document Is Not a Reliable Guide
At first glance, it might appear that all you need is a tool that finds old, untouched files for you. Many products, therefore, just use the document's age to solve the issue of what to delete and retain. However, as the examples below illustrate, this approach can ultimately backfire.
The Necessity of a Workflow
Somehow, you figured out all this and now have a clear list of files/records that are candidates for deletion. Hit the delete button? Not so fast. Deleting data in such a top-down way is a bad idea. Instead, your tool needs a workflow for this. You need to ensure that:
- Each data owner reviews the deletion list.
- Capture their ‘OK’ on the proposed action on the data. If a data owner makes a case for retaining the files instead of deleting them, the justification for that decision must be captured.
Remember to Quarantine the Data
Now, you are finally ready to get rid of this old data. Well, almost. It is a best practice to move the files to a special quarantine holding area for a safety period. This way, you can ‘undo’ things.
As the examples in this blog show, retaining and deleting customer data in an automated and compliant manner must be done using the right solution and a thoughtful approach. The product or solution you choose can make the difference between whether you are on the right side of the law or the radar of the privacy regulation authorities.
Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.